security certificate license for website and mobile

hi,

I am looking for a good security certificate license for our company's website and email. I have couple question:
1.do I have to buy a ssl for Exchange server  so that people can use cell phone to access email?
2.which company is the best one for security certificate license?
3.what's the everage price for that?
4.after I install that. will my webmail( owa)  not show a "certificate error " message and need to click continue to show our webmail?

thanks
Simon ChenNetwork AdministratorAsked:
Who is Participating?
 
Bruno PACIConnect With a Mentor IT ConsultantCommented:
Hi,

The only advantage to buy a certificate to a public certification authority (like Thawte, Verising, ...) is that the certificates they sell to you come from certification authorities already known by your computers, smartphones, etc...
That means that computers and smartphones already have the root certificates of the well-known public certification authorities and you don't have to install it on these equipments...
That permits to avoid appearance of the security alert saying the SSL certificate of the web site comes from unknwon authority...
That should answer to your question number 4.

About your question number 1, in fact you need a public certificate on the server that publish you internal Exchange OWA/ActiveSync server. I mean that if you have some reverse proxy in front of Exchange to secure incoming connections from Internet, then the certificate bust be present on the reverse proxy.
About dialog between the reverse proxy and the Exchange Server you have many choices. You can decide to not use SSL (I don't recommand that because in this case someone that connects on your internal network could sniff passwords), you can decide to use SSL encryption with an private certificate generated by a private certification authority in your enterprise, or you can decide to use SSL encryption using the same public certificate installed on the Exchange server.
In the last case you have to know that, usually, you should pay a certificate license for each server the certificate is installed on.

About question 2. Very simple... The best company is the one that delivers the cheaper certificates, and that is a well-known certification authority (I mean it must be already known by your computers or smartphones, else you'll have to install the root certificate on all your equiments)...

About question 3... Well... A certificate for SSL encryption for a Web server, OWA server or ActiveSync server should cost around 100 euros (120 dollars) a year.
What you have to know is that certification authorities will try to seel you the most expensive certificate with a lot of roles, but for OWA/ActiveSync you only need the basic Web server certificate for server authentication.

Another thing: a certificate is generated for a server name. That means that if the URL to access your OWA server from Internet is something like https://myowa.mycompany.com/owa the certificate must be generated for the name "myowa.mycompany.com". Else you'll have a security alert saying that the certificate used by the server have been generated for another server...
You can buy certificates with alternative names. These certificates have several names, and you won't have security alerts until your URL matches with at least one name of the certificate. As an example, if you wan't users to be able to reach your web site using the DNS name or using the IP address without any security alert you'll then need a certificate for "myowa.mycompany.com" with the IP address as alternative names.
Of course, you'll probably have to pay more if you wan't a certificate with alernative names...
Finally, you can also buy a wildcard certificate generated for a wildcard name (like "*.mycompany.com"). That sort of certificate will permit you to publish many web server using a unique entry point and then buying only one wildcard certificate. But OF COURSE, these certificates will cost much more.

Have a good day.
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Its not necessary to purchase a cert but highly recommened.      You can get godaddy for $89 UCC: http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=8979

From there you have to change the vdirs so yo don't get the cert error message in outlook if you have not added the local ad name on the cert.

Fix Outlook 2007 cert error:  http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
0
 
Simon ChenNetwork AdministratorAuthor Commented:
if not necessary to purchase a cert for cell phone, then how can I set it?
thanks
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Your selfsigned cert has the have the same namespace as the dns... so owa.domain.com    You can go to the website and export the cert...so you click on the cert and click copy to file and then import the cert on the phone.     This works for Windows Mobile phones...you don't have to do this for Palm Pre or iPhones....they should work.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.