SSL Certificate and Sub Domains

Hi All,

I want to purchase an SSL certificate for web mail login.

1. If I buy an SSL certificate for acme.com.au can I create as many sub domains as i want using that Cert for e.g webmail.acme.com.au etc without having to buy another cert?
2. Do I load the (purchased) cert into an internal CA (2003 Server) and issue the sub domain certificates?
3. Could i create my own cert using an internal CA as this is not for e commerce to enable SSL?
4. Any tips for moving forward, I want to learn from your experience.

Thanks

Aalborg
AI-SYDAsked:
Who is Participating?
 
RaghuvCommented:
Hi, the most thing you have not mentioned here is the version of Exchnage you are using...anyways I am assuming you have an Exchange 2007..so,

1. Yes, you can have multiple dns names on a single certificate. It's called UCC certificate (called SAN Certificate as well). Check out the below two links,

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html

http://msexchangeteam.com/archive/2007/02/19/435472.aspx

2. If you purchase a 3rd party SAN certificate then there's no need to load it into Internal CA, you can directly install it on your Exchange Server.

3. Could i create my own cert using an internal CA as this is not for e commerce to enable SSL?

Yes, you can create your own self signed SAN certificate or request a SAN certificate from a Internal CA. Check out the below links for more details,

http://technet.microsoft.com/en-us/library/bb851505.aspx
http://technet.microsoft.com/en-us/library/bb851554.aspx
http://technet.microsoft.com/en-us/library/bb430767.aspx

4. I would suggest you to go for a 3rd party SAN certificate, of course they would be costlier than a a single name certificate or a self signed certificate, however they are worth it in terms of doing their job.
0
 
AI-SYDAuthor Commented:
Hi Raghuv,

2003 Exchange, everything still fit?

Aalborg
0
 
RaghuvCommented:
Well if its Exchange 2003, then I would suggest you to go for a single name certificate for each domain (i.e separate certificates for each domain) as having a SAN cert on Exchange 2003 doesn't do justice to the cost of the SAN certificate.

So you can either buy separate certificates for each domain from a 3rd party vendor (Eg: Go daddy, DigiCert, Verisign) or install CA server on a Server and then create Internal certificates for each domain name.

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
http://www.msexchange.org/tutorials/Creating-Certificate-OWA2003-SelfSSL.html
http://www.msexchange.org/tutorials/SSL-Enabling-OWA-2003-Using-Free-3rdParty-Certificate.html
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
ParanormasticCryptographic EngineerCommented:
For using your own internal CA - if you already have one, you can, but you will need to get your users to import your root certificate to their home computers or whereever.  Usually you can just add this to the setup guide for how to get started using OWA that hopefully you are nice enough to provide to your users anyways.

You can do it with your own CA, but the question is if you want to.  If you are just looking for a couple of certs, it is usually cheaper to just do that, but if you already have your own CA or need a few dozen certs then maybe its time to set up your own CA.

Normally you don't get a commercial cert vendor to sign your CA to get the trust from that - it can be done but it is extremely expensive, not many cert vendors do it (globalsign is the only one I know offhand, but I'm sure there are others) and there are very specific restrictions that you must adhere to that might make it less desirable.
0
 
MesthaCommented:
For web mail login I would just purchase a standard single name certificate of mail.example.com and leave it at that. No other combinations required.
When you start wanting to issue multiple certificates things get complicated - the main thing being that it is one certificate per IP address on the standard port (443).

-M
0
 
AI-SYDAuthor Commented:
Thanks everyone for their input.

I have decided to go with a single cert issued by a reputable source.

Thanks for all the information.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.