Solved

SSL Certificate and Sub Domains

Posted on 2009-03-29
6
736 Views
Last Modified: 2012-05-06
Hi All,

I want to purchase an SSL certificate for web mail login.

1. If I buy an SSL certificate for acme.com.au can I create as many sub domains as i want using that Cert for e.g webmail.acme.com.au etc without having to buy another cert?
2. Do I load the (purchased) cert into an internal CA (2003 Server) and issue the sub domain certificates?
3. Could i create my own cert using an internal CA as this is not for e commerce to enable SSL?
4. Any tips for moving forward, I want to learn from your experience.

Thanks

Aalborg
0
Comment
Question by:AI-SYD
6 Comments
 
LVL 9

Accepted Solution

by:
Raghuv earned 250 total points
ID: 24015956
Hi, the most thing you have not mentioned here is the version of Exchnage you are using...anyways I am assuming you have an Exchange 2007..so,

1. Yes, you can have multiple dns names on a single certificate. It's called UCC certificate (called SAN Certificate as well). Check out the below two links,

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html

http://msexchangeteam.com/archive/2007/02/19/435472.aspx

2. If you purchase a 3rd party SAN certificate then there's no need to load it into Internal CA, you can directly install it on your Exchange Server.

3. Could i create my own cert using an internal CA as this is not for e commerce to enable SSL?

Yes, you can create your own self signed SAN certificate or request a SAN certificate from a Internal CA. Check out the below links for more details,

http://technet.microsoft.com/en-us/library/bb851505.aspx
http://technet.microsoft.com/en-us/library/bb851554.aspx
http://technet.microsoft.com/en-us/library/bb430767.aspx

4. I would suggest you to go for a 3rd party SAN certificate, of course they would be costlier than a a single name certificate or a self signed certificate, however they are worth it in terms of doing their job.
0
 

Author Comment

by:AI-SYD
ID: 24015968
Hi Raghuv,

2003 Exchange, everything still fit?

Aalborg
0
 
LVL 9

Assisted Solution

by:Raghuv
Raghuv earned 250 total points
ID: 24016045
Well if its Exchange 2003, then I would suggest you to go for a single name certificate for each domain (i.e separate certificates for each domain) as having a SAN cert on Exchange 2003 doesn't do justice to the cost of the SAN certificate.

So you can either buy separate certificates for each domain from a 3rd party vendor (Eg: Go daddy, DigiCert, Verisign) or install CA server on a Server and then create Internal certificates for each domain name.

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
http://www.msexchange.org/tutorials/Creating-Certificate-OWA2003-SelfSSL.html
http://www.msexchange.org/tutorials/SSL-Enabling-OWA-2003-Using-Free-3rdParty-Certificate.html
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 100 total points
ID: 24019531
For using your own internal CA - if you already have one, you can, but you will need to get your users to import your root certificate to their home computers or whereever.  Usually you can just add this to the setup guide for how to get started using OWA that hopefully you are nice enough to provide to your users anyways.

You can do it with your own CA, but the question is if you want to.  If you are just looking for a couple of certs, it is usually cheaper to just do that, but if you already have your own CA or need a few dozen certs then maybe its time to set up your own CA.

Normally you don't get a commercial cert vendor to sign your CA to get the trust from that - it can be done but it is extremely expensive, not many cert vendors do it (globalsign is the only one I know offhand, but I'm sure there are others) and there are very specific restrictions that you must adhere to that might make it less desirable.
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 150 total points
ID: 24035243
For web mail login I would just purchase a standard single name certificate of mail.example.com and leave it at that. No other combinations required.
When you start wanting to issue multiple certificates things get complicated - the main thing being that it is one certificate per IP address on the standard port (443).

-M
0
 

Author Closing Comment

by:AI-SYD
ID: 31564179
Thanks everyone for their input.

I have decided to go with a single cert issued by a reputable source.

Thanks for all the information.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now