Solved

SSL Certification Question on SBS 2008

Posted on 2011-09-23
6
345 Views
Last Modified: 2012-05-12
Hello Experts and thank you for your help.

We have a new client that would like us to purchase and install an SSL cert for their exchange on SBS 2008.

Let’s say the windows domain is climbing.rockclimbing.com
And the main web address is rockclimbing.com
The secondary web address is climbhere.org
The client sends and receives email from both addresses.

I know they named the windows domain the same as their website but we inherited this one.

The iPhones and droid 3s all connect using mail.rockclimbing.com
For an SSL cert that will keep exchange mail, iPhones and droid 3s happy would I need the following?

mail.rockclimbing.com
rockclimbing.com
autodiscover.rockclimbing.com
servername.climbing.rockclimbing.com
climbing.rockclimbing.com
mail.climbhere.org
climbhere.org

Which type of SSL cert will be effective and the least expensive?
Will I also need to create an A record to point autodiscover.rockclimbing.com to the server static WAN IP at their registrar?

Thanks,
ACL
0
Comment
Question by:AustinComputerLabs
  • 4
  • 2
6 Comments
 
LVL 13

Expert Comment

by:khairil
ID: 36591324
Hi,

You have 2 second level domain here:
1. rockclimbing.com
2. climbhere.org

Most likely you have to had at least 2 certs with wildcard.

We just installed wildcard cert on our Exchange and NPS it works fine and we manage to lower the cost of having that cert. You can have wildcard cert for rockclimbing.com. Since wildcard cert is little big expensive than single cert, having less than 3 server may be not viable in term of cost. For that I suggest you to get 2 more cert for two climbhere.org server - one for each.

However, be aware with wildcard cert. If the cert compromised then all services using it can also be compromised.

Go Daddy have good cert with lower price tag.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36591341
You do not need to create A record to produce cert. What matter is creating CSR file with proper CN. The cert authority (CA) will give you way to create CSR from your server.

Valid cert from CA will make those device happy. However, you have to ensure that the CA have their root cert already installed in that device. Apple listed all the available root CA on their site, http://support.apple.com/kb/HT3580 so just select CA from that list as your provider. You need to do researhc on others like what CA support Android. Make sure same root CA  exist to avoid some device failed to validate your cert.

So what happen if not root cert listed in that device? You need to install root CA to the device/OS in order for them to validate cert you used on the server.

So summing up with cost consideration. Get wildcard cert for *.rockclimbing.com and 2 standard cert for mail.climbhere.org and climbhere.org

0
 
LVL 13

Author Comment

by:AustinComputerLabs
ID: 36592482
So in order to add all the things before rockclimbing.com (mail, autodiscover and so on) I have to go with a wildcard cert?

A wildcard cert only works for one domain name per cert?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 13

Accepted Solution

by:
khairil earned 500 total points
ID: 36593017
That what I doing exactly. We have used standard cert from very well known big name before. One cert per domain. That cost me USD 470 per cert and I have 13 of them which cost me USD 6,110 a year.

Soon I find out I need more but not having adequate budget, which make me switch to wildcard cert with cost less than half of I have to spent before. The cert is from less well know CA, but it works.

Wildcard work on multi domain with one cert only. So you need to have only one cert and used it MOSTLY any where.

Wildcard work best if you have domains like these:
1. mail.rockclimbing.com
2. rockclimbing.com
3. autodiscover.rockclimbing.com
4. servername.climbing.rockclimbing.com
6. climbing.rockclimbing.com

The cert will be issued to *.rockclimbing.com instead of per domain. So to anwser you question, it works for multi domain as long it ends with rockclimbing.com (for you case).

My suggestion is only if you want to save budget. Go daddy is good enough for most situation and it's cheap too. You can stil have per cert per domain but have to pay little bit more. I do some calculation for you, based on Go daddy price:

Standard Cert:
7 x USD 89.99 (normal cert per domain) = USD 629.93

Wildcard + Standard Cert:
1 x USD 299.99 (wildcard for rockclimbing.com) + 2 x USD 89.99 (standar cert for 2 climbhere.org domains) = USD 479.97

So you get the different right? It is your choice now.
0
 
LVL 13

Expert Comment

by:khairil
ID: 36593026
opps... is not 7 but 8

Standard Cert:
8 x USD 89.99 (normal cert per domain) = USD 719.92

The different just get bigger.... USD 239.95
0
 
LVL 13

Author Closing Comment

by:AustinComputerLabs
ID: 36594337
Thanks for all your help
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now