We have been using a .local domain name for years and we like it. But, Symantec / Verisign will no longer host our Certificate with a .local domain name. Namely, for using Microsoft Exchange, we have always used Symantec / Verisign.
The choice that is given to us is to host our own CA. Or change our domain name from .local to .com, if we want Verisign to host our Certificate.
From my research, the process of hosting our own CA isn't terribly difficult, but my question comes to how to get certificates to all of the 300 smart phones, iPads, tablets and external (to our firewall) laptops and desktops. With Verisign, it is automatic, all of those devices automatically work.
That would be the way we would want it to be, but from my research it looks like that isn't possible? Or is it?
The other option, as stated would be to change our domain name - which looks, at best ugly and wrought with many conflicts that may not be worth the investment of time - or at least the time to possibly get certs to all mobile devices manually, or through web enrollment.
Does anyone have any suggestions or have encountered this similar issue?
Thanks for your help.
Environment: Windows 2012 Server R2, Exchange 2007, droid and IOS devices.