AustinComputerLabs
asked on
SSL Certification Question on SBS 2008
Hello Experts and thank you for your help.
We have a new client that would like us to purchase and install an SSL cert for their exchange on SBS 2008.
Let’s say the windows domain is climbing.rockclimbing.com
And the main web address is rockclimbing.com
The secondary web address is climbhere.org
The client sends and receives email from both addresses.
I know they named the windows domain the same as their website but we inherited this one.
The iPhones and droid 3s all connect using mail.rockclimbing.com
For an SSL cert that will keep exchange mail, iPhones and droid 3s happy would I need the following?
mail.rockclimbing.com
rockclimbing.com
autodiscover.rockclimbing. com
servername.climbing.rockcl imbing.com
climbing.rockclimbing.com
mail.climbhere.org
climbhere.org
Which type of SSL cert will be effective and the least expensive?
Will I also need to create an A record to point autodiscover.rockclimbing. com to the server static WAN IP at their registrar?
Thanks,
ACL
We have a new client that would like us to purchase and install an SSL cert for their exchange on SBS 2008.
Let’s say the windows domain is climbing.rockclimbing.com
And the main web address is rockclimbing.com
The secondary web address is climbhere.org
The client sends and receives email from both addresses.
I know they named the windows domain the same as their website but we inherited this one.
The iPhones and droid 3s all connect using mail.rockclimbing.com
For an SSL cert that will keep exchange mail, iPhones and droid 3s happy would I need the following?
mail.rockclimbing.com
rockclimbing.com
autodiscover.rockclimbing.
servername.climbing.rockcl
climbing.rockclimbing.com
mail.climbhere.org
climbhere.org
Which type of SSL cert will be effective and the least expensive?
Will I also need to create an A record to point autodiscover.rockclimbing.
Thanks,
ACL
You do not need to create A record to produce cert. What matter is creating CSR file with proper CN. The cert authority (CA) will give you way to create CSR from your server.
Valid cert from CA will make those device happy. However, you have to ensure that the CA have their root cert already installed in that device. Apple listed all the available root CA on their site, http://support.apple.com/kb/HT3580 so just select CA from that list as your provider. You need to do researhc on others like what CA support Android. Make sure same root CA exist to avoid some device failed to validate your cert.
So what happen if not root cert listed in that device? You need to install root CA to the device/OS in order for them to validate cert you used on the server.
So summing up with cost consideration. Get wildcard cert for *.rockclimbing.com and 2 standard cert for mail.climbhere.org and climbhere.org
Valid cert from CA will make those device happy. However, you have to ensure that the CA have their root cert already installed in that device. Apple listed all the available root CA on their site, http://support.apple.com/kb/HT3580 so just select CA from that list as your provider. You need to do researhc on others like what CA support Android. Make sure same root CA exist to avoid some device failed to validate your cert.
So what happen if not root cert listed in that device? You need to install root CA to the device/OS in order for them to validate cert you used on the server.
So summing up with cost consideration. Get wildcard cert for *.rockclimbing.com and 2 standard cert for mail.climbhere.org and climbhere.org
ASKER
So in order to add all the things before rockclimbing.com (mail, autodiscover and so on) I have to go with a wildcard cert?
A wildcard cert only works for one domain name per cert?
A wildcard cert only works for one domain name per cert?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
opps... is not 7 but 8
Standard Cert:
8 x USD 89.99 (normal cert per domain) = USD 719.92
The different just get bigger.... USD 239.95
Standard Cert:
8 x USD 89.99 (normal cert per domain) = USD 719.92
The different just get bigger.... USD 239.95
ASKER
Thanks for all your help
You have 2 second level domain here:
1. rockclimbing.com
2. climbhere.org
Most likely you have to had at least 2 certs with wildcard.
We just installed wildcard cert on our Exchange and NPS it works fine and we manage to lower the cost of having that cert. You can have wildcard cert for rockclimbing.com. Since wildcard cert is little big expensive than single cert, having less than 3 server may be not viable in term of cost. For that I suggest you to get 2 more cert for two climbhere.org server - one for each.
However, be aware with wildcard cert. If the cert compromised then all services using it can also be compromised.
Go Daddy have good cert with lower price tag.