SSL Certification Question on SBS 2008

Hello Experts and thank you for your help.

We have a new client that would like us to purchase and install an SSL cert for their exchange on SBS 2008.

Let’s say the windows domain is climbing.rockclimbing.com
And the main web address is rockclimbing.com
The secondary web address is climbhere.org
The client sends and receives email from both addresses.

I know they named the windows domain the same as their website but we inherited this one.

The iPhones and droid 3s all connect using mail.rockclimbing.com
For an SSL cert that will keep exchange mail, iPhones and droid 3s happy would I need the following?

mail.rockclimbing.com
rockclimbing.com
autodiscover.rockclimbing.com
servername.climbing.rockclimbing.com
climbing.rockclimbing.com
mail.climbhere.org
climbhere.org

Which type of SSL cert will be effective and the least expensive?
Will I also need to create an A record to point autodiscover.rockclimbing.com to the server static WAN IP at their registrar?

Thanks,
ACL
LVL 13
AustinComputerLabsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

khairilCommented:
Hi,

You have 2 second level domain here:
1. rockclimbing.com
2. climbhere.org

Most likely you have to had at least 2 certs with wildcard.

We just installed wildcard cert on our Exchange and NPS it works fine and we manage to lower the cost of having that cert. You can have wildcard cert for rockclimbing.com. Since wildcard cert is little big expensive than single cert, having less than 3 server may be not viable in term of cost. For that I suggest you to get 2 more cert for two climbhere.org server - one for each.

However, be aware with wildcard cert. If the cert compromised then all services using it can also be compromised.

Go Daddy have good cert with lower price tag.
0
khairilCommented:
You do not need to create A record to produce cert. What matter is creating CSR file with proper CN. The cert authority (CA) will give you way to create CSR from your server.

Valid cert from CA will make those device happy. However, you have to ensure that the CA have their root cert already installed in that device. Apple listed all the available root CA on their site, http://support.apple.com/kb/HT3580 so just select CA from that list as your provider. You need to do researhc on others like what CA support Android. Make sure same root CA  exist to avoid some device failed to validate your cert.

So what happen if not root cert listed in that device? You need to install root CA to the device/OS in order for them to validate cert you used on the server.

So summing up with cost consideration. Get wildcard cert for *.rockclimbing.com and 2 standard cert for mail.climbhere.org and climbhere.org

0
AustinComputerLabsAuthor Commented:
So in order to add all the things before rockclimbing.com (mail, autodiscover and so on) I have to go with a wildcard cert?

A wildcard cert only works for one domain name per cert?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

khairilCommented:
That what I doing exactly. We have used standard cert from very well known big name before. One cert per domain. That cost me USD 470 per cert and I have 13 of them which cost me USD 6,110 a year.

Soon I find out I need more but not having adequate budget, which make me switch to wildcard cert with cost less than half of I have to spent before. The cert is from less well know CA, but it works.

Wildcard work on multi domain with one cert only. So you need to have only one cert and used it MOSTLY any where.

Wildcard work best if you have domains like these:
1. mail.rockclimbing.com
2. rockclimbing.com
3. autodiscover.rockclimbing.com
4. servername.climbing.rockclimbing.com
6. climbing.rockclimbing.com

The cert will be issued to *.rockclimbing.com instead of per domain. So to anwser you question, it works for multi domain as long it ends with rockclimbing.com (for you case).

My suggestion is only if you want to save budget. Go daddy is good enough for most situation and it's cheap too. You can stil have per cert per domain but have to pay little bit more. I do some calculation for you, based on Go daddy price:

Standard Cert:
7 x USD 89.99 (normal cert per domain) = USD 629.93

Wildcard + Standard Cert:
1 x USD 299.99 (wildcard for rockclimbing.com) + 2 x USD 89.99 (standar cert for 2 climbhere.org domains) = USD 479.97

So you get the different right? It is your choice now.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
khairilCommented:
opps... is not 7 but 8

Standard Cert:
8 x USD 89.99 (normal cert per domain) = USD 719.92

The different just get bigger.... USD 239.95
0
AustinComputerLabsAuthor Commented:
Thanks for all your help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.