SSL Certificate for OWA
Can someone explain the rational behind a SSL Certificate for OWA? Seriously, what is the point? There is no value in it... Just to verify that the site is valid? The bad guys don't get these too?Thanks.
June 2nd, 2009 11:16pm
Hi,The reason to use SSL certificate to encrypt the chanel beetween the user and the host, so if the bad guy listen the communication he can't get your credentials or your data.Regards,Zoltnhttp://www.clamagent.org - Free Antivirus for Exchange
http://www.it-pro.hu
http://emaildetektiv.hu
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2009 11:53pm
The certificate is used so that client computers can encrypt information and send it to the OWA server. This certificate has only the ability to encrypt, not decript. decryption is done with a certificate (called the private key)that only lives on the OWA server.So yes hackers can encrypt content to the server as well, but they cannot decrypt it. so a hacker cannot read my transmitions to the server if encrypted with a certificate because they only have access to the public key, not the private one.Certificates can also prove site identity, but this only works if we all trust the issuing authority, which by default OWA 2007 isnt a trusted authority.I suggest you zoom out for a bit and read about PKI in general. focusing on OWA or Exchange without this high-level understanding is only going to complicate your thought process.Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
June 2nd, 2009 11:56pm
I get it. The people I answer to don't. The problem I have is that I am having to purchase something that should have come with the software. Iknow that a basic cert for OWA is included but it's not the same. So, GoDaddy is going to judge if we have a valid site? I understand about the encryption but if there are several sites that you can purchase this from at different prices. Gives me a real warm feeling that a KEY piece of the security in Exchange 2007 can be purchasedfrom the equivalent of a WalMart. BTW, I probably have forgotten more about software than you know. I am offended by the suggesting that I read something. My point is that it is another piece that is out of my control that I have to spend more money on.
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2009 12:43am
Hi,What you are writing is far from the correct answer. You should not purchase anything. You can setup your own CA, request the keys from it and deploy your own CA's rootcertificate to your users as I do. I never purchased any certificate.From my point of view you sholud purchase a commercial certificate only if you are hosting a public service like a payment solution for a webshop. The Exchange is not a public service it used by a closed user group.Regards,Zoltnhttp://www.clamagent.org - Free Antivirus for Exchange
http://www.it-pro.hu
http://emaildetektiv.hu
June 3rd, 2009 6:51am
My apologies. I am frustrated because our implementation did not go well. I have hired two firms to help and they were worthless.I apprieciate the information. It is contrary to what both companies told me.Thanks,-Greg
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2009 7:44pm
Sorry to hear about the trouble with the consulting firm(s). My company does this type of work and I'd be happy to talk to you over the phone if youd like to contact me directly.You mentioned your dissatisfaction with the notion that GoDaddy or other sites can dictate the validity of your server's address. This also is better understood at a higher level, but Godaddy is one of the trusted root certification authorities in most web browsers. so is verisign, thawte, entrust, etc. Think of it like the DMV. Are THEY to dictate who can actually drive a car and who cannot? well, sort of - yes. buts thats because we as a society are satisfied with the tests THEY make their drivers go through before the drivers license is awarded. its the same with these certificate authorities. they have to validate your identity, and then you can use that "license" as a way to know someone has done the hard work for you.but again, this is only a fraction of what certs do. the content encryption is the much larger aspect. and that doesnt require a "trusted" cert.Mike Crowley: MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
June 4th, 2009 12:29am