Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 866
  • Last Modified:

Certificates: Best-buy for Exchange 2007 and separate website(s)

Dear Experts,

I'm new to certificates. I'm looking for an "aggregate" certificate solution that will serve our Exchange 2007 server, corporate website with client area and production websites.

Of course I'd like to minimize the costs, however manageability of certificates we're going to purchase is also very important.

All in all, we have the following sites we'd like to "certify":

1. Exchange 2007 server, accessed from both LAN and WAN. Clients are Outlook 2003 and 2007, OWA and mobile devices (Nokia Mail for Exchange via Activesync, Blackberry and iPhone via IMAP/SMTP).

2. Website with client area (HTTPS) on Apache

3. Two production sites also accessed by clients on IIS. Note: these two sites do not have domain names, just IP addresses.

What solution would you recommend?

Thank you,
Igor
0
igorign
Asked:
igorign
  • 9
  • 7
  • 4
  • +2
1 Solution
 
progjmCommented:
godaddy.com
Get a multidomain certificate for your Exchange 2007 server i.e. mail.domain.com, autodiscover.domain.com, domain.com
0
 
ikshf143Commented:
You can go with a SAN(UCC) certificate that can have multiple URLS and that is one of the best certificate for Exchange 2007. Also keeping inmind the Cost factor the cheapest SAN certificates are provided by GoDaddy, there may be others but i am not aware of them.
0
 
igorignAuthor Commented:
progjm and ikshf143, thank you for your prompt responses.

But would the proposed solutions work for no-domain-name sites (pt. 3 of my question)?
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
progjmCommented:
Do you have an internal certificate server installed by any chance?
0
 
igorignAuthor Commented:
progjm, no I don't, but can install one if it's worth...
0
 
progjmCommented:
For any sites that will be utilized from the outside its best to have a domain name, and a 3rd party certificate. At least thats my opinion.
Exchange will have to have a 3rd party certificate, a SAN UCC certificate as stated by ikshf143.
I had 2 test sites that i setup with IP's only and used my internal cert server to generate the certificates.
Is there any reason why these outside IP's dont have a domain name?
0
 
igorignAuthor Commented:
progjm,

ok you meant do we have a certificate-generating server - yes we do, it's currently making home-made certificates (signed by us), that a user can download and install. I'd like to avoid that procedure.

So is no-domain-name site really a problem in my case? I understand it's not clear why, but explaining the reasons will take time and will drive us away from the original topic. Let's assume this is inevitable. Hope you excuse me for avoiding the answer)
0
 
progjmCommented:
No its not a problem, it will work. Just dont know if a 3rd party will issue you a certificate. Contact godaddy.com and see what they say, it cant hurt
0
 
igorignAuthor Commented:
OK, so you advise to look for a SAN/UUC multi-domain certificate, which will serve:

1. IIS on Exchange for both external and internal domain names
2. Apache website
3. (probably) no-domain-name IP-address-only IIS

Correct?
0
 
progjmCommented:
The SAN UCC is for Exchange only
Single certificates for the others
0
 
progjmCommented:
Well I take that back, you can have all domains on one UCC. I just have never dont it that way, personal preference
0
 
igorignAuthor Commented:
Thank you, I wrote to GoDaddy, will report when they answer.
0
 
ParanormasticCryptographic EngineerCommented:
The multi-domain/ SAN cert is good for the exchange server - this can host one or multiple domains and all the sites you need, and typically internal names and hostnames as well.

The individual sites can use a normal SSL cert - this can normally be issued to an IP address, however some CAs will not allow issuing to an internal IP address (e.g. 10.x.x.x or 192.168.x.x) - but some will.  I think I had heard that GoDaddy doesn't like to issue to internal IP addresses - this may have changed for all I know, but I think that Comodo will do that if you don't want to set up a CA for just this purpose.

For internal DNS names - generally these are okay, but there can be issues if it was set up improperly by using a .com name that your company does not own - not common but unfortunately far from unheard of.  If you have a .local instead of .com then you are usually going to be okay.

GoDaddy has the best prices for normal SSL and SAN SSL certs out there for a CA that has a commonly recognized root.  Comodo and Digicert are fairly inexpensive as well.
0
 
markpalinuxCommented:

GoDaddy also has wildcard certs - I am not sure if they can be used on Exchange or not , anyone aware?

0
 
igorignAuthor Commented:
OK GoDaddy told me that they do not issue certificates for IP addresses. Is it normal or I'm just "lucky" to meet a wrong sales guy?
0
 
markpalinuxCommented:


No certificates are for FQDN - fully qualified domain names  (ie. host.domain.com), not ip addresses.

You can use a certificate and an IP address to secure communications - but the certificate details will have a name and not an IP address - thus it cannot "match".  Maybe fine for things like vpn, wireless access point, but for Exchange/Outlook or any type of customer facing website you should go with a name on the certificate that matches the site.



Mark
0
 
igorignAuthor Commented:
markpalinux, there are plenty of offerings for SSL Certificates for public IP addresses.
http://www.google.com/search?sourceid=navclient&aq=0&oq=ssl+certificate+for+ip&ie=UTF-8&rlz=1T4DVXA_enRU314&q=ssl+certificate+for+ip+address

Back to the original question, I wanted an aggregate easy-to-manage solution for Exchange, website and public no-FDQN sites. From what I was told above, I think I should go try getting a SAN cert to certify all this, or, in the worst case, get SAN for Exchange and www site, and get plain SSL certificates for no-FDQN sites.

I'll continue my conversation with GoDaddy and will post the results shortly.

0
 
progjmCommented:
Yes exactly
0
 
markpalinuxCommented:
igorign,

I have been dealing and managing SSL certs for years, first time I heard of ssl for ip address. thanks.

http://www.globalsign.com/digital_certificate/options/public-ip-address.htm
Secure a Public IP Address with a GlobalSign SSL Certificate

Typically a SSL Certificate is issued to a Fully Qualified Domain Name (FQDN) such as www.domain.com. However some organizations need a SSL Certificate issued to an IP address. This option allows you to specify an IP address as the Common Name in your Certificate Signing Request. The issued certificate can then be used to secure connections directly with the IP address, e.g. https://123.456.78.99.


anyway if you get an ssl for your ip , make sure you can get you money back if it does not work as expected.


Mark
0
 
markpalinuxCommented:


I know I heard of this before -


http://www.cacert.org/

If you want to have free certificates issued to you, join the  CAcert Community .

they have a good wiki.

As far as I know the UCC certs for Exchange 2007 are also know as Subject Alternative Name
Subject Alternative Name
Unified Communications Certificate (SANS UCC Certificate)
Multiple Domain ( UCC )

In a quick search I didn't find if the cacert.org supported certificates with SANs.

Mark
0
 
igorignAuthor Commented:
Thank you. The only note is that GoDaddy claims they don't provide IP address certificates (anymore?).
0
 
igorignAuthor Commented:
Thanks everyone! I think this Q can be closed.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 9
  • 7
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now