Solved

Certificates: Best-buy for Exchange 2007 and separate website(s)

Posted on 2009-05-07
22
835 Views
Last Modified: 2012-05-06
Dear Experts,

I'm new to certificates. I'm looking for an "aggregate" certificate solution that will serve our Exchange 2007 server, corporate website with client area and production websites.

Of course I'd like to minimize the costs, however manageability of certificates we're going to purchase is also very important.

All in all, we have the following sites we'd like to "certify":

1. Exchange 2007 server, accessed from both LAN and WAN. Clients are Outlook 2003 and 2007, OWA and mobile devices (Nokia Mail for Exchange via Activesync, Blackberry and iPhone via IMAP/SMTP).

2. Website with client area (HTTPS) on Apache

3. Two production sites also accessed by clients on IIS. Note: these two sites do not have domain names, just IP addresses.

What solution would you recommend?

Thank you,
Igor
0
Comment
Question by:igorign
  • 9
  • 7
  • 4
  • +2
22 Comments
 
LVL 1

Expert Comment

by:progjm
Comment Utility
godaddy.com
Get a multidomain certificate for your Exchange 2007 server i.e. mail.domain.com, autodiscover.domain.com, domain.com
0
 
LVL 6

Expert Comment

by:ikshf143
Comment Utility
You can go with a SAN(UCC) certificate that can have multiple URLS and that is one of the best certificate for Exchange 2007. Also keeping inmind the Cost factor the cheapest SAN certificates are provided by GoDaddy, there may be others but i am not aware of them.
0
 

Author Comment

by:igorign
Comment Utility
progjm and ikshf143, thank you for your prompt responses.

But would the proposed solutions work for no-domain-name sites (pt. 3 of my question)?
0
 
LVL 1

Expert Comment

by:progjm
Comment Utility
Do you have an internal certificate server installed by any chance?
0
 

Author Comment

by:igorign
Comment Utility
progjm, no I don't, but can install one if it's worth...
0
 
LVL 1

Expert Comment

by:progjm
Comment Utility
For any sites that will be utilized from the outside its best to have a domain name, and a 3rd party certificate. At least thats my opinion.
Exchange will have to have a 3rd party certificate, a SAN UCC certificate as stated by ikshf143.
I had 2 test sites that i setup with IP's only and used my internal cert server to generate the certificates.
Is there any reason why these outside IP's dont have a domain name?
0
 

Author Comment

by:igorign
Comment Utility
progjm,

ok you meant do we have a certificate-generating server - yes we do, it's currently making home-made certificates (signed by us), that a user can download and install. I'd like to avoid that procedure.

So is no-domain-name site really a problem in my case? I understand it's not clear why, but explaining the reasons will take time and will drive us away from the original topic. Let's assume this is inevitable. Hope you excuse me for avoiding the answer)
0
 
LVL 1

Expert Comment

by:progjm
Comment Utility
No its not a problem, it will work. Just dont know if a 3rd party will issue you a certificate. Contact godaddy.com and see what they say, it cant hurt
0
 

Author Comment

by:igorign
Comment Utility
OK, so you advise to look for a SAN/UUC multi-domain certificate, which will serve:

1. IIS on Exchange for both external and internal domain names
2. Apache website
3. (probably) no-domain-name IP-address-only IIS

Correct?
0
 
LVL 1

Expert Comment

by:progjm
Comment Utility
The SAN UCC is for Exchange only
Single certificates for the others
0
 
LVL 1

Expert Comment

by:progjm
Comment Utility
Well I take that back, you can have all domains on one UCC. I just have never dont it that way, personal preference
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 

Author Comment

by:igorign
Comment Utility
Thank you, I wrote to GoDaddy, will report when they answer.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
Comment Utility
The multi-domain/ SAN cert is good for the exchange server - this can host one or multiple domains and all the sites you need, and typically internal names and hostnames as well.

The individual sites can use a normal SSL cert - this can normally be issued to an IP address, however some CAs will not allow issuing to an internal IP address (e.g. 10.x.x.x or 192.168.x.x) - but some will.  I think I had heard that GoDaddy doesn't like to issue to internal IP addresses - this may have changed for all I know, but I think that Comodo will do that if you don't want to set up a CA for just this purpose.

For internal DNS names - generally these are okay, but there can be issues if it was set up improperly by using a .com name that your company does not own - not common but unfortunately far from unheard of.  If you have a .local instead of .com then you are usually going to be okay.

GoDaddy has the best prices for normal SSL and SAN SSL certs out there for a CA that has a commonly recognized root.  Comodo and Digicert are fairly inexpensive as well.
0
 
LVL 15

Expert Comment

by:markpalinux
Comment Utility

GoDaddy also has wildcard certs - I am not sure if they can be used on Exchange or not , anyone aware?

0
 

Author Comment

by:igorign
Comment Utility
OK GoDaddy told me that they do not issue certificates for IP addresses. Is it normal or I'm just "lucky" to meet a wrong sales guy?
0
 
LVL 15

Expert Comment

by:markpalinux
Comment Utility


No certificates are for FQDN - fully qualified domain names  (ie. host.domain.com), not ip addresses.

You can use a certificate and an IP address to secure communications - but the certificate details will have a name and not an IP address - thus it cannot "match".  Maybe fine for things like vpn, wireless access point, but for Exchange/Outlook or any type of customer facing website you should go with a name on the certificate that matches the site.



Mark
0
 

Author Comment

by:igorign
Comment Utility
markpalinux, there are plenty of offerings for SSL Certificates for public IP addresses.
http://www.google.com/search?sourceid=navclient&aq=0&oq=ssl+certificate+for+ip&ie=UTF-8&rlz=1T4DVXA_enRU314&q=ssl+certificate+for+ip+address

Back to the original question, I wanted an aggregate easy-to-manage solution for Exchange, website and public no-FDQN sites. From what I was told above, I think I should go try getting a SAN cert to certify all this, or, in the worst case, get SAN for Exchange and www site, and get plain SSL certificates for no-FDQN sites.

I'll continue my conversation with GoDaddy and will post the results shortly.

0
 
LVL 1

Expert Comment

by:progjm
Comment Utility
Yes exactly
0
 
LVL 15

Expert Comment

by:markpalinux
Comment Utility
igorign,

I have been dealing and managing SSL certs for years, first time I heard of ssl for ip address. thanks.

http://www.globalsign.com/digital_certificate/options/public-ip-address.htm
Secure a Public IP Address with a GlobalSign SSL Certificate

Typically a SSL Certificate is issued to a Fully Qualified Domain Name (FQDN) such as www.domain.com. However some organizations need a SSL Certificate issued to an IP address. This option allows you to specify an IP address as the Common Name in your Certificate Signing Request. The issued certificate can then be used to secure connections directly with the IP address, e.g. https://123.456.78.99.


anyway if you get an ssl for your ip , make sure you can get you money back if it does not work as expected.


Mark
0
 
LVL 15

Expert Comment

by:markpalinux
Comment Utility


I know I heard of this before -


http://www.cacert.org/

If you want to have free certificates issued to you, join the  CAcert Community .

they have a good wiki.

As far as I know the UCC certs for Exchange 2007 are also know as Subject Alternative Name
Subject Alternative Name
Unified Communications Certificate (SANS UCC Certificate)
Multiple Domain ( UCC )

In a quick search I didn't find if the cacert.org supported certificates with SANs.

Mark
0
 

Author Closing Comment

by:igorign
Comment Utility
Thank you. The only note is that GoDaddy claims they don't provide IP address certificates (anymore?).
0
 

Author Comment

by:igorign
Comment Utility
Thanks everyone! I think this Q can be closed.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now