Solved

SSL Certification Question on SBS 2008

Posted on 2011-09-23
6
347 Views
Last Modified: 2012-05-12
Hello Experts and thank you for your help.

We have a new client that would like us to purchase and install an SSL cert for their exchange on SBS 2008.

Let’s say the windows domain is climbing.rockclimbing.com
And the main web address is rockclimbing.com
The secondary web address is climbhere.org
The client sends and receives email from both addresses.

I know they named the windows domain the same as their website but we inherited this one.

The iPhones and droid 3s all connect using mail.rockclimbing.com
For an SSL cert that will keep exchange mail, iPhones and droid 3s happy would I need the following?

mail.rockclimbing.com
rockclimbing.com
autodiscover.rockclimbing.com
servername.climbing.rockclimbing.com
climbing.rockclimbing.com
mail.climbhere.org
climbhere.org

Which type of SSL cert will be effective and the least expensive?
Will I also need to create an A record to point autodiscover.rockclimbing.com to the server static WAN IP at their registrar?

Thanks,
ACL
0
Comment
Question by:AustinComputerLabs
  • 4
  • 2
6 Comments
 
LVL 13

Expert Comment

by:khairil
ID: 36591324
Hi,

You have 2 second level domain here:
1. rockclimbing.com
2. climbhere.org

Most likely you have to had at least 2 certs with wildcard.

We just installed wildcard cert on our Exchange and NPS it works fine and we manage to lower the cost of having that cert. You can have wildcard cert for rockclimbing.com. Since wildcard cert is little big expensive than single cert, having less than 3 server may be not viable in term of cost. For that I suggest you to get 2 more cert for two climbhere.org server - one for each.

However, be aware with wildcard cert. If the cert compromised then all services using it can also be compromised.

Go Daddy have good cert with lower price tag.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36591341
You do not need to create A record to produce cert. What matter is creating CSR file with proper CN. The cert authority (CA) will give you way to create CSR from your server.

Valid cert from CA will make those device happy. However, you have to ensure that the CA have their root cert already installed in that device. Apple listed all the available root CA on their site, http://support.apple.com/kb/HT3580 so just select CA from that list as your provider. You need to do researhc on others like what CA support Android. Make sure same root CA  exist to avoid some device failed to validate your cert.

So what happen if not root cert listed in that device? You need to install root CA to the device/OS in order for them to validate cert you used on the server.

So summing up with cost consideration. Get wildcard cert for *.rockclimbing.com and 2 standard cert for mail.climbhere.org and climbhere.org

0
 
LVL 13

Author Comment

by:AustinComputerLabs
ID: 36592482
So in order to add all the things before rockclimbing.com (mail, autodiscover and so on) I have to go with a wildcard cert?

A wildcard cert only works for one domain name per cert?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 13

Accepted Solution

by:
khairil earned 500 total points
ID: 36593017
That what I doing exactly. We have used standard cert from very well known big name before. One cert per domain. That cost me USD 470 per cert and I have 13 of them which cost me USD 6,110 a year.

Soon I find out I need more but not having adequate budget, which make me switch to wildcard cert with cost less than half of I have to spent before. The cert is from less well know CA, but it works.

Wildcard work on multi domain with one cert only. So you need to have only one cert and used it MOSTLY any where.

Wildcard work best if you have domains like these:
1. mail.rockclimbing.com
2. rockclimbing.com
3. autodiscover.rockclimbing.com
4. servername.climbing.rockclimbing.com
6. climbing.rockclimbing.com

The cert will be issued to *.rockclimbing.com instead of per domain. So to anwser you question, it works for multi domain as long it ends with rockclimbing.com (for you case).

My suggestion is only if you want to save budget. Go daddy is good enough for most situation and it's cheap too. You can stil have per cert per domain but have to pay little bit more. I do some calculation for you, based on Go daddy price:

Standard Cert:
7 x USD 89.99 (normal cert per domain) = USD 629.93

Wildcard + Standard Cert:
1 x USD 299.99 (wildcard for rockclimbing.com) + 2 x USD 89.99 (standar cert for 2 climbhere.org domains) = USD 479.97

So you get the different right? It is your choice now.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36593026
opps... is not 7 but 8

Standard Cert:
8 x USD 89.99 (normal cert per domain) = USD 719.92

The different just get bigger.... USD 239.95
0
 
LVL 13

Author Closing Comment

by:AustinComputerLabs
ID: 36594337
Thanks for all your help
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange DAG - maintenance question/ query 2 23
outlook 6 42
Decommisioning Exchange 2010, what should I backup. 4 17
MailTips Exchange 2010 5 13
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question