gccITteam
asked on
How do I obtain and install a security certificate for an Outlook Web Access login page?
I am running Exchange Server 2003 on a server that is running Windows Server 2003. We use Outlook Web Access quite frequently to check our e-mail when we are out of the office. The first issue that I have is that to get to the OWA login page, I have to type https://ipaddress/exchange where ipadress is our static ip address from our ISP. I would like to change that to be able to type https://owa.4grace.org or something to that effect. Is this possible, and if so, could you provide dummy proof step by step instructions on how to do so? The second issue that I have is once I type in https://ipaddress/exchange, it takes me to a screen that says:
There is a problem with this website's security certificate.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information
If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private information into the website.
For more information, see "Certificate Errors" in Internet Explorer Help.
My question for this issue is how do I correct this problem? Do I need to purchase a security certificate? If so, where do I go to purchase that and how do I install it? One thing to keep in mind, we will be connecting our Palm Treo 755p's to this Exchange Server using Versa Mail so the security certificate will also have to work with that.
Any help on these issues would be greatly appreciated. Thank you so much for your time and I look forward to hearing back from you.
There is a problem with this website's security certificate.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information
If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private information into the website.
For more information, see "Certificate Errors" in Internet Explorer Help.
My question for this issue is how do I correct this problem? Do I need to purchase a security certificate? If so, where do I go to purchase that and how do I install it? One thing to keep in mind, we will be connecting our Palm Treo 755p's to this Exchange Server using Versa Mail so the security certificate will also have to work with that.
Any help on these issues would be greatly appreciated. Thank you so much for your time and I look forward to hearing back from you.
There is a problem with this website's security certificate.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information
If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private information into the website.
For more information, see "Certificate Errors" in Internet Explorer Help.
"Dummy-proof steps"
Each hosting company has somewhat different procedures. If you do not know how to get DNS records added, you should call the company that hosts your DNS (most likely your web hosting service) and let them know that you need to add a host record. They will either take the information or point you to a control pannel. What you are giong to add is the host "owa" (or whatever you choose to call it) with the static IP address of your server.
When you change from using the static IP address to using a friendly name, you will probably need to generate a new certificate.
The certificate warning you are getting is not an error or a problem. It just means that Microsoft is stupid (sorry, but I don't usually hold back on the way I feel about stupid programmers). What the message is telling you is that your server uses a "self signed" certificate. There is NOTHING WRONG with a self-signed certificate, but Microsoft seems to think that putting up a severe warning that only technical people understand is a good idea. Geat a clue, eh? There are really only 2 differences between a purchased certificate and a self-signed certificate. When you purchase a certificate, the CA (Certificate Authority) is supposed to verify that you really are who you say you are. For financial transactions and such this is a great thing! Not that it means a whole heck of a lot given that only a fairly technical person knows enough to check the certificate and see who it was issued to. When you "self sign" a certificate it means no third party has verified that "yes indeed, you really are John Doe". The second difference is obvious -- you have to pay for a certificate from a third party issuer....and you have to keep paying for it every time the certificate expires.
For internal use, a self-signed certificate is just fine. Your system already has this type of certificate, which means you probably have the CA set up somewhere on your network to generate self-signed certificates. All you need to do is educate your users that the stupid Microsoft message does not mean anything -- and they should continue to the sight. You might even want to provide instructions for them to install the certificate onto their computer to prevent the stupid message from coming up on their PC in the future.
If your users cannot be educated, purchase a certificate and you will not receive the warning about a self-signed certificate. Thank's to Microsoft, companies needlessly purchase security certificates every day for web sites. Not because the purchased certificates are better security, but because they don't want people to get scared away by the stupid message.
Any certificate (self signed or purchased) should work fine with the Palm Treo. I usually implement self-signed certificates for e-mail security, but have also purchased from THWATE when politics demanded wasting money.
The certificate itself will need to be installed in the IIS admin console. If you are running SBS2003, you can use one of the wizards to both generate the certificate and install it. If you are not running SBS, go into IIS management from Administrative Tools to put the new security certificate in place.
Now, given that you are a church I am going to step back and tell you that you may want to consider running without SSL (gasp!). I am not saying you should do this, but that you should consider it. Going straight HTML takes away the added security of encryption, but it also takes away the administrative setup. As a church, you may have absolutly no proprietary or confidential information to protect in your e-mail system. If a username or password is compromised, there may be no data to steal. And most of your e-mail is floating around the Inernet free-text to begin with (unlike corporations where much of the e-mail is internal only). Hey, we lock the door to protect things. If there is nothing to protect why spend a bunch of time / effort / money on the lock?
Each hosting company has somewhat different procedures. If you do not know how to get DNS records added, you should call the company that hosts your DNS (most likely your web hosting service) and let them know that you need to add a host record. They will either take the information or point you to a control pannel. What you are giong to add is the host "owa" (or whatever you choose to call it) with the static IP address of your server.
When you change from using the static IP address to using a friendly name, you will probably need to generate a new certificate.
The certificate warning you are getting is not an error or a problem. It just means that Microsoft is stupid (sorry, but I don't usually hold back on the way I feel about stupid programmers). What the message is telling you is that your server uses a "self signed" certificate. There is NOTHING WRONG with a self-signed certificate, but Microsoft seems to think that putting up a severe warning that only technical people understand is a good idea. Geat a clue, eh? There are really only 2 differences between a purchased certificate and a self-signed certificate. When you purchase a certificate, the CA (Certificate Authority) is supposed to verify that you really are who you say you are. For financial transactions and such this is a great thing! Not that it means a whole heck of a lot given that only a fairly technical person knows enough to check the certificate and see who it was issued to. When you "self sign" a certificate it means no third party has verified that "yes indeed, you really are John Doe". The second difference is obvious -- you have to pay for a certificate from a third party issuer....and you have to keep paying for it every time the certificate expires.
For internal use, a self-signed certificate is just fine. Your system already has this type of certificate, which means you probably have the CA set up somewhere on your network to generate self-signed certificates. All you need to do is educate your users that the stupid Microsoft message does not mean anything -- and they should continue to the sight. You might even want to provide instructions for them to install the certificate onto their computer to prevent the stupid message from coming up on their PC in the future.
If your users cannot be educated, purchase a certificate and you will not receive the warning about a self-signed certificate. Thank's to Microsoft, companies needlessly purchase security certificates every day for web sites. Not because the purchased certificates are better security, but because they don't want people to get scared away by the stupid message.
Any certificate (self signed or purchased) should work fine with the Palm Treo. I usually implement self-signed certificates for e-mail security, but have also purchased from THWATE when politics demanded wasting money.
The certificate itself will need to be installed in the IIS admin console. If you are running SBS2003, you can use one of the wizards to both generate the certificate and install it. If you are not running SBS, go into IIS management from Administrative Tools to put the new security certificate in place.
Now, given that you are a church I am going to step back and tell you that you may want to consider running without SSL (gasp!). I am not saying you should do this, but that you should consider it. Going straight HTML takes away the added security of encryption, but it also takes away the administrative setup. As a church, you may have absolutly no proprietary or confidential information to protect in your e-mail system. If a username or password is compromised, there may be no data to steal. And most of your e-mail is floating around the Inernet free-text to begin with (unlike corporations where much of the e-mail is internal only). Hey, we lock the door to protect things. If there is nothing to protect why spend a bunch of time / effort / money on the lock?
ASKER
I definitely want to keep running with SSL. I am running Server 2003, not SBS2003. With that being said, how do I go about creating, signing, and installing my own security certificate? Secondly, how can I obtain this certificate to install on other computers and my palm treo's? If you could provide step by step instructions, that would be absolutely marvelous. Thank you so much for your help. This site has been a life-saver.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For the certificate, you can purchase one from Thawte, Verisign, GoDaddy, or any number of other places. If you don't purchase one, you have to generate one and hand it out to everyone who's going to connect to your server otherwise they won't be secure.
How to generate a cert request: http://support.microsoft.com/kb/228821
You definitely want to use a certificate and SSL, otherwise everything is free and clear on the Internet.