• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1096
  • Last Modified:

Which SSL certificate(s) is necessary for SBS2011?

I am facing an installation of a new Dell server with Small Business Server 2011 (not virtual)

Usualy I would order a 3. part SSL certificate from Thawte to make sure the connectivity with Iphones and Outlook HTTP will function properly.

This certificate will be issued to REMOTE.COMPANY.DK pointing to the global IP of the company.

Now I hear two things which makes me a little confused:

1) I will also need a second certificate for AUTODISCOVER.COMPANY.DK
2) It is not required at all to use a paid 3. parti certificate. I can use the servers own.

Please point out the correct guidelines for me :-)
0
Ohmit
Asked:
Ohmit
  • 3
  • 2
  • 2
  • +2
10 Solutions
 
Cliff GaliherCommented:
If your DNS host supports SRV records then you don't need a certificate with the autodiscover.* name. Multi-domain certificates, either UCC/SAN or wildcard are more expensive and the SBS wizards don't generate CSRs for these, so sticking to a simple cert is, in my opinion, better when possible.

As far as using 3rd party verses the internally generated cert, while you CAN use an internally generated certificates, distributing them to external devices is not an insignificant task. Considering the cost of a 3rd party cert is so low these days, the time it saves in distribution and troubleshooting pays for itself. There is rarely a justified reason to use an internal cert.
0
 
Sushil SonawaneCommented:
Subject Alternative Names let you protect multiple host names with a single SSL certificate.

If you going to order the certificate form the third party then you not require a new third party or self sign certificate for the domain "AUTODISCOVER.COMPANY.DK".

You can just add the SAN name for the domain  "AUTODISCOVER.COMPANY.DK" in the certificate domain "REMOTE.COMPANY.DK  certificate. Mean on the single certificate you can add the multiple domain name.

Please refer below link.

(http://www.digicert.com/subject-alternative-name.htm)

OR

You can create the self sign certificate with multiple SAN name.
0
 
Cliff GaliherCommented:
Ignore this comment, wrong tab.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
Sushil SonawaneCommented:
New-ExchangeCertificate -SubjectName "c=US, o=Woodgrove Bank, cn=mail1.woodgrovebank.com" -DomainName AUTODISCOVER.COMPANY.DK, remote.COMPANY.DK -PrivateKeyExportable $true

To create san certificate in exchange 2010 console

(http://blogs.msexchange.org/walther/2009/08/29/the-new-certificate-wizard-in-exchange-2010-rc/)
0
 
Alan HardistyCommented:
I always use a SAN/UCC SSL certificate for SBS 2011 and I don't use the SBS Wizard to generate it - I use the Exchange Wizard to generate it and it always works.

Names to include are:

remote.domain.com (or whatever you choose if you don't use the default)
autodiscover.domain.com
internalservername.internaldomain.local
internalservername
sites (if you intend to use Sharepoint)

A GoDaddy SAN / UCC cert will cost you about $90 for 1 year or a reseller account will cost you about $60 for 1 year.  I usually stick a 3 year cert on my SBS 2011 servers.
0
 
vSolutionsITCommented:
Sembee has posted a nice article with all the steps required to make single name certificate with exchange 2007.. This will work for Exchange 2010 as well

Check sembee article at.
http://exchange.sembee.info/2007/install/singlenamessl.asp

and check below as well.
http://community.spiceworks.com/how_to/show/1098
0
 
Simon Butler (Sembee)ConsultantCommented:
You can get it down to two names in the certificate:

remote.example.com
autodiscover.example.com

The others are not really required, and SBS will correct them for you.
Furthermore, from 2012, you cannot put non FQDN or internal names in to the SSL certificate, so may as well move to the new formatting.

However as Alan has said, use Exchange 2010 to do the certificate request, but activate it in SBS 2011.

If you want to use a single name SSL certificate, then for Exchange 2010 follow my updated link here: http://exchange.sembee.info/2010/install/singlenamessl.asp
If you cannot use SRV records for autodiscover, then use the multiple name method here:
http://exchange.sembee.info/2010/install/ssl-sbs2011.asp

The internally generated certificate is not supported for use with ActiveSync or Outlook Anywhere.

Simon.
0
 
Cliff GaliherCommented:
Keep in mind that SBS uses the certificate not just for exchange, but also for RWA. Specifically the RDGateway service is assigned the certificate as well. Requesting and installing the certificate via Exchange will not properly set up the RDGateway service. There are workarounds, but they tend to be fragile and the SBS wizards undo the settings.

Also, UCC/SAN certificates tend to be significantly more expensive. $15 vs $90. While both are less than most IT consultants hourly rates, I also think a 500% mark-up is aretty steep price when a SRV record accomplishes the same task and is easier to maintain long term.

Obviously there are multiple approaches, so some of the above is purely opinion. But there are also legitimate "gotchas" as well, such as requesting and installing certificates via Exchange on SBS. So plan carefully and be cautious on the advice you take.
0
 
Simon Butler (Sembee)ConsultantCommented:
That is why you do the request and the response through Exchange 2010, but don't enable it. Enable the certificate through SBS and everything works correctly.

The SRV record works well - IF the external DNS provider supports SRV records. Many do not, so you have to use UC certificates, which are only $60 or less if you know where to look.

I would also disagree that SRV records are easier to maintain - there is no difference in my opinion between the two. Both methods require additional DNS records over and above the simple remote.example.com A record, and both require the SSL certificate to be renewed. If anything SRV records can be overlooked so potentially causing a problem if you move DNS providers.

Simon.
0
 
Alan HardistyCommented:
I always request, install and enable the certificate through Exchange (shell) and I have had no problems with doing it that way so far.

We come across plenty of providers that don't yet support SRV records - which is a pain, but a quick transfer of domain hosting fixes that up nicely.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now