Solved

SSL Certification Question on SBS 2008

Posted on 2011-09-23
6
350 Views
Last Modified: 2012-05-12
Hello Experts and thank you for your help.

We have a new client that would like us to purchase and install an SSL cert for their exchange on SBS 2008.

Let’s say the windows domain is climbing.rockclimbing.com
And the main web address is rockclimbing.com
The secondary web address is climbhere.org
The client sends and receives email from both addresses.

I know they named the windows domain the same as their website but we inherited this one.

The iPhones and droid 3s all connect using mail.rockclimbing.com
For an SSL cert that will keep exchange mail, iPhones and droid 3s happy would I need the following?

mail.rockclimbing.com
rockclimbing.com
autodiscover.rockclimbing.com
servername.climbing.rockclimbing.com
climbing.rockclimbing.com
mail.climbhere.org
climbhere.org

Which type of SSL cert will be effective and the least expensive?
Will I also need to create an A record to point autodiscover.rockclimbing.com to the server static WAN IP at their registrar?

Thanks,
ACL
0
Comment
Question by:AustinComputerLabs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 13

Expert Comment

by:khairil
ID: 36591324
Hi,

You have 2 second level domain here:
1. rockclimbing.com
2. climbhere.org

Most likely you have to had at least 2 certs with wildcard.

We just installed wildcard cert on our Exchange and NPS it works fine and we manage to lower the cost of having that cert. You can have wildcard cert for rockclimbing.com. Since wildcard cert is little big expensive than single cert, having less than 3 server may be not viable in term of cost. For that I suggest you to get 2 more cert for two climbhere.org server - one for each.

However, be aware with wildcard cert. If the cert compromised then all services using it can also be compromised.

Go Daddy have good cert with lower price tag.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36591341
You do not need to create A record to produce cert. What matter is creating CSR file with proper CN. The cert authority (CA) will give you way to create CSR from your server.

Valid cert from CA will make those device happy. However, you have to ensure that the CA have their root cert already installed in that device. Apple listed all the available root CA on their site, http://support.apple.com/kb/HT3580 so just select CA from that list as your provider. You need to do researhc on others like what CA support Android. Make sure same root CA  exist to avoid some device failed to validate your cert.

So what happen if not root cert listed in that device? You need to install root CA to the device/OS in order for them to validate cert you used on the server.

So summing up with cost consideration. Get wildcard cert for *.rockclimbing.com and 2 standard cert for mail.climbhere.org and climbhere.org

0
 
LVL 13

Author Comment

by:AustinComputerLabs
ID: 36592482
So in order to add all the things before rockclimbing.com (mail, autodiscover and so on) I have to go with a wildcard cert?

A wildcard cert only works for one domain name per cert?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 13

Accepted Solution

by:
khairil earned 500 total points
ID: 36593017
That what I doing exactly. We have used standard cert from very well known big name before. One cert per domain. That cost me USD 470 per cert and I have 13 of them which cost me USD 6,110 a year.

Soon I find out I need more but not having adequate budget, which make me switch to wildcard cert with cost less than half of I have to spent before. The cert is from less well know CA, but it works.

Wildcard work on multi domain with one cert only. So you need to have only one cert and used it MOSTLY any where.

Wildcard work best if you have domains like these:
1. mail.rockclimbing.com
2. rockclimbing.com
3. autodiscover.rockclimbing.com
4. servername.climbing.rockclimbing.com
6. climbing.rockclimbing.com

The cert will be issued to *.rockclimbing.com instead of per domain. So to anwser you question, it works for multi domain as long it ends with rockclimbing.com (for you case).

My suggestion is only if you want to save budget. Go daddy is good enough for most situation and it's cheap too. You can stil have per cert per domain but have to pay little bit more. I do some calculation for you, based on Go daddy price:

Standard Cert:
7 x USD 89.99 (normal cert per domain) = USD 629.93

Wildcard + Standard Cert:
1 x USD 299.99 (wildcard for rockclimbing.com) + 2 x USD 89.99 (standar cert for 2 climbhere.org domains) = USD 479.97

So you get the different right? It is your choice now.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36593026
opps... is not 7 but 8

Standard Cert:
8 x USD 89.99 (normal cert per domain) = USD 719.92

The different just get bigger.... USD 239.95
0
 
LVL 13

Author Closing Comment

by:AustinComputerLabs
ID: 36594337
Thanks for all your help
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question