Solved

SSL Certificate and Sub Domains

Posted on 2009-03-29
6
732 Views
Last Modified: 2012-05-06
Hi All,

I want to purchase an SSL certificate for web mail login.

1. If I buy an SSL certificate for acme.com.au can I create as many sub domains as i want using that Cert for e.g webmail.acme.com.au etc without having to buy another cert?
2. Do I load the (purchased) cert into an internal CA (2003 Server) and issue the sub domain certificates?
3. Could i create my own cert using an internal CA as this is not for e commerce to enable SSL?
4. Any tips for moving forward, I want to learn from your experience.

Thanks

Aalborg
0
Comment
Question by:AI-SYD
6 Comments
 
LVL 9

Accepted Solution

by:
Raghuv earned 250 total points
Comment Utility
Hi, the most thing you have not mentioned here is the version of Exchnage you are using...anyways I am assuming you have an Exchange 2007..so,

1. Yes, you can have multiple dns names on a single certificate. It's called UCC certificate (called SAN Certificate as well). Check out the below two links,

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html

http://msexchangeteam.com/archive/2007/02/19/435472.aspx

2. If you purchase a 3rd party SAN certificate then there's no need to load it into Internal CA, you can directly install it on your Exchange Server.

3. Could i create my own cert using an internal CA as this is not for e commerce to enable SSL?

Yes, you can create your own self signed SAN certificate or request a SAN certificate from a Internal CA. Check out the below links for more details,

http://technet.microsoft.com/en-us/library/bb851505.aspx
http://technet.microsoft.com/en-us/library/bb851554.aspx
http://technet.microsoft.com/en-us/library/bb430767.aspx

4. I would suggest you to go for a 3rd party SAN certificate, of course they would be costlier than a a single name certificate or a self signed certificate, however they are worth it in terms of doing their job.
0
 

Author Comment

by:AI-SYD
Comment Utility
Hi Raghuv,

2003 Exchange, everything still fit?

Aalborg
0
 
LVL 9

Assisted Solution

by:Raghuv
Raghuv earned 250 total points
Comment Utility
Well if its Exchange 2003, then I would suggest you to go for a single name certificate for each domain (i.e separate certificates for each domain) as having a SAN cert on Exchange 2003 doesn't do justice to the cost of the SAN certificate.

So you can either buy separate certificates for each domain from a 3rd party vendor (Eg: Go daddy, DigiCert, Verisign) or install CA server on a Server and then create Internal certificates for each domain name.

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
http://www.msexchange.org/tutorials/Creating-Certificate-OWA2003-SelfSSL.html
http://www.msexchange.org/tutorials/SSL-Enabling-OWA-2003-Using-Free-3rdParty-Certificate.html
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 100 total points
Comment Utility
For using your own internal CA - if you already have one, you can, but you will need to get your users to import your root certificate to their home computers or whereever.  Usually you can just add this to the setup guide for how to get started using OWA that hopefully you are nice enough to provide to your users anyways.

You can do it with your own CA, but the question is if you want to.  If you are just looking for a couple of certs, it is usually cheaper to just do that, but if you already have your own CA or need a few dozen certs then maybe its time to set up your own CA.

Normally you don't get a commercial cert vendor to sign your CA to get the trust from that - it can be done but it is extremely expensive, not many cert vendors do it (globalsign is the only one I know offhand, but I'm sure there are others) and there are very specific restrictions that you must adhere to that might make it less desirable.
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 150 total points
Comment Utility
For web mail login I would just purchase a standard single name certificate of mail.example.com and leave it at that. No other combinations required.
When you start wanting to issue multiple certificates things get complicated - the main thing being that it is one certificate per IP address on the standard port (443).

-M
0
 

Author Closing Comment

by:AI-SYD
Comment Utility
Thanks everyone for their input.

I have decided to go with a single cert issued by a reputable source.

Thanks for all the information.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SBS 20011 to Office 365 7 48
Exchange & AD management console 2 42
Account will not go away 3 23
outlook 3 5
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now