Hosting our own Certificate of Authority or Changing our Domain Name?

We have been using a .local domain name for years and we like it.  But, Symantec / Verisign will no longer host our Certificate with a .local domain name.  Namely, for using Microsoft Exchange, we have always used Symantec / Verisign.

The choice that is given to us is to host our own CA.  Or change our domain name from .local to .com, if we want Verisign to host our Certificate.

From my research, the process of hosting our own CA isn't terribly difficult, but my question comes to how to get certificates to all of the 300 smart phones, iPads, tablets and external (to our firewall) laptops and desktops.  With Verisign, it is automatic, all of those devices automatically work.

That would be the way we would want it to be, but from my research it looks like that isn't possible?  Or is it?

The other option, as stated would be to change our domain name - which looks, at best ugly and wrought with many conflicts that may not be worth the investment of time - or at least the time to possibly get certs to all mobile devices manually, or through web enrollment.

Does anyone have any suggestions or have encountered this similar issue?

Thanks for your help.

Environment:  Windows 2012 Server R2, Exchange 2007, droid and IOS devices.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
You need to go for other option. It is much easier compare to option 1. Which is not practical.

Read this

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sudhir BidyeCommented:
You can download and send the certificate to each user. Ask them to open OWA on their phones, download the internal CA certificate from owa to the phones and install it.
Go with the VeriSign certificate, It is will worth it down the road.
peter_ophovenAuthor Commented:
We have TMG running on the edge pushing - Outlook Anywhere, OWA, Active-Sync and IMAP and POP services enabled.  All running SSL.

Will the digicert process from above work even though we are using the TMG as a front edge security firewall?
Thanks for your input so far, a couple of really great leads to work through.
peter_ophovenAuthor Commented:
Thank you community.  We survived and learned along the way.  That is the best solution!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.