SSL in IIS7

finally got my exchange 2k7 migrated from 2k3 and on a 2k8 box.  IIS7 is a whole diff animal for me..i need to create a certificate for my OWA site.  I have heard about self signed SSL's but not sure how they work.  I usually just purchase one from verisign and import it and done with it.  Trying to do this very inexpensively.  Second part is, last 2k7 install i did, i wasn't able to purchase a multiple domain SSL, so it screwed up my autodiscover.  I ended up creating a second website for autodiscover and creating a dns record for it.   Has anyone put a CA ssl or a self signed ssl on owa running on IIS7 and what is best practice...thanks
LVL 1
jasonmichelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
You *can do this with a self-signed certificate, however if you are using OWA you probably don't want to.

Self-signed certs would be deployed similarily to a root CA certificate - i.e. you would need to import each one into the trusted root certificate store of each box that will be connecting to your exchange enivornment.  If you don't use owa then it should be easy enough to push those through GPO to your workstations.  If you do have users that don't use company assests to connect to exchange (e.g. you connect from your home computer to check your email) then you would need to pass out instructions and deal with all the support calls that will arise from that (there will likely be calls, even though it is a simple process... they call... they always call...).

Using a UCC cert from a commercial CA, be it Verisign, Comodo, or whomever is probably still going to be the best bet.  GoDaddy is cheap, but sometimes there are issues as their root that they issue under is fairly new.  If you use mobile devices as a corporate resource, check out their existing root cert store and base your decision from there to reduce the headache of updating all your phones.
0
jasonmichelAuthor Commented:
i need a UCC SSL for outlook anywhere or mobile devices don't i?
0
ParanormasticCryptographic EngineerCommented:
UCC certs just make things easier and is usually the preferred solution.

If you have your own CA, you could use that also under the same stipulations that I gave for the self-signed cert (you would have to deploy your root CA cert).  If you enabled SAN on the CA then you can add the extra names as a SAN value to your own free certs - which a UCC cert is essentially a SAN cert for all practical purposes.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.