Posted on 2008-11-20
Medium Priority
Last Modified: 2012-05-05
finally got my exchange 2k7 migrated from 2k3 and on a 2k8 box.  IIS7 is a whole diff animal for me..i need to create a certificate for my OWA site.  I have heard about self signed SSL's but not sure how they work.  I usually just purchase one from verisign and import it and done with it.  Trying to do this very inexpensively.  Second part is, last 2k7 install i did, i wasn't able to purchase a multiple domain SSL, so it screwed up my autodiscover.  I ended up creating a second website for autodiscover and creating a dns record for it.   Has anyone put a CA ssl or a self signed ssl on owa running on IIS7 and what is best practice...thanks
Question by:jasonmichel
  • 2
LVL 31

Expert Comment

ID: 23005446
You *can do this with a self-signed certificate, however if you are using OWA you probably don't want to.

Self-signed certs would be deployed similarily to a root CA certificate - i.e. you would need to import each one into the trusted root certificate store of each box that will be connecting to your exchange enivornment.  If you don't use owa then it should be easy enough to push those through GPO to your workstations.  If you do have users that don't use company assests to connect to exchange (e.g. you connect from your home computer to check your email) then you would need to pass out instructions and deal with all the support calls that will arise from that (there will likely be calls, even though it is a simple process... they call... they always call...).

Using a UCC cert from a commercial CA, be it Verisign, Comodo, or whomever is probably still going to be the best bet.  GoDaddy is cheap, but sometimes there are issues as their root that they issue under is fairly new.  If you use mobile devices as a corporate resource, check out their existing root cert store and base your decision from there to reduce the headache of updating all your phones.

Author Comment

ID: 23005501
i need a UCC SSL for outlook anywhere or mobile devices don't i?
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 23006231
UCC certs just make things easier and is usually the preferred solution.

If you have your own CA, you could use that also under the same stipulations that I gave for the self-signed cert (you would have to deploy your root CA cert).  If you enabled SAN on the CA then you can add the extra names as a SAN value to your own free certs - which a UCC cert is essentially a SAN cert for all practical purposes.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question