Solved

SSL Certification Question on SBS 2008

Posted on 2011-09-23
6
352 Views
Last Modified: 2012-05-12
Hello Experts and thank you for your help.

We have a new client that would like us to purchase and install an SSL cert for their exchange on SBS 2008.

Let’s say the windows domain is climbing.rockclimbing.com
And the main web address is rockclimbing.com
The secondary web address is climbhere.org
The client sends and receives email from both addresses.

I know they named the windows domain the same as their website but we inherited this one.

The iPhones and droid 3s all connect using mail.rockclimbing.com
For an SSL cert that will keep exchange mail, iPhones and droid 3s happy would I need the following?

mail.rockclimbing.com
rockclimbing.com
autodiscover.rockclimbing.com
servername.climbing.rockclimbing.com
climbing.rockclimbing.com
mail.climbhere.org
climbhere.org

Which type of SSL cert will be effective and the least expensive?
Will I also need to create an A record to point autodiscover.rockclimbing.com to the server static WAN IP at their registrar?

Thanks,
ACL
0
Comment
Question by:AustinComputerLabs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 13

Expert Comment

by:khairil
ID: 36591324
Hi,

You have 2 second level domain here:
1. rockclimbing.com
2. climbhere.org

Most likely you have to had at least 2 certs with wildcard.

We just installed wildcard cert on our Exchange and NPS it works fine and we manage to lower the cost of having that cert. You can have wildcard cert for rockclimbing.com. Since wildcard cert is little big expensive than single cert, having less than 3 server may be not viable in term of cost. For that I suggest you to get 2 more cert for two climbhere.org server - one for each.

However, be aware with wildcard cert. If the cert compromised then all services using it can also be compromised.

Go Daddy have good cert with lower price tag.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36591341
You do not need to create A record to produce cert. What matter is creating CSR file with proper CN. The cert authority (CA) will give you way to create CSR from your server.

Valid cert from CA will make those device happy. However, you have to ensure that the CA have their root cert already installed in that device. Apple listed all the available root CA on their site, http://support.apple.com/kb/HT3580 so just select CA from that list as your provider. You need to do researhc on others like what CA support Android. Make sure same root CA  exist to avoid some device failed to validate your cert.

So what happen if not root cert listed in that device? You need to install root CA to the device/OS in order for them to validate cert you used on the server.

So summing up with cost consideration. Get wildcard cert for *.rockclimbing.com and 2 standard cert for mail.climbhere.org and climbhere.org

0
 
LVL 13

Author Comment

by:AustinComputerLabs
ID: 36592482
So in order to add all the things before rockclimbing.com (mail, autodiscover and so on) I have to go with a wildcard cert?

A wildcard cert only works for one domain name per cert?
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 13

Accepted Solution

by:
khairil earned 500 total points
ID: 36593017
That what I doing exactly. We have used standard cert from very well known big name before. One cert per domain. That cost me USD 470 per cert and I have 13 of them which cost me USD 6,110 a year.

Soon I find out I need more but not having adequate budget, which make me switch to wildcard cert with cost less than half of I have to spent before. The cert is from less well know CA, but it works.

Wildcard work on multi domain with one cert only. So you need to have only one cert and used it MOSTLY any where.

Wildcard work best if you have domains like these:
1. mail.rockclimbing.com
2. rockclimbing.com
3. autodiscover.rockclimbing.com
4. servername.climbing.rockclimbing.com
6. climbing.rockclimbing.com

The cert will be issued to *.rockclimbing.com instead of per domain. So to anwser you question, it works for multi domain as long it ends with rockclimbing.com (for you case).

My suggestion is only if you want to save budget. Go daddy is good enough for most situation and it's cheap too. You can stil have per cert per domain but have to pay little bit more. I do some calculation for you, based on Go daddy price:

Standard Cert:
7 x USD 89.99 (normal cert per domain) = USD 629.93

Wildcard + Standard Cert:
1 x USD 299.99 (wildcard for rockclimbing.com) + 2 x USD 89.99 (standar cert for 2 climbhere.org domains) = USD 479.97

So you get the different right? It is your choice now.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36593026
opps... is not 7 but 8

Standard Cert:
8 x USD 89.99 (normal cert per domain) = USD 719.92

The different just get bigger.... USD 239.95
0
 
LVL 13

Author Closing Comment

by:AustinComputerLabs
ID: 36594337
Thanks for all your help
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question