buying first exchange 2007 cert
Hi guys I would like to ask a few questions in regards to exchange 2007 ssl certs. I'm currently running exchange in a test lab for my own benefit I would like to enable owa and outlook anywhere right now. Maybe down the road I would like to play around with unified messaging after I get a open source pbx up an running. Everything I'm reading states that you must use a ucc cert for exchange 2007 basically the 20.00 godaady or rapidssl certs won't work any more. I really don't want to pay godaddy 200.00 bucks for a ucc cert that I will use in my home lab. So I must ask what are my other options for setting up ssl with exchange 2007. Basically can I use the 20.00 certs for owa and outlook anywhere or do I need to just buy the ucc cert?
July 21st, 2009 2:55am
Well, since you just for testing in lab you can built your own Certificate Authority (CA) on any member server or on DC and generate your own SAN certificate.
I couldn't find any step by step article for internal CA to generate SAN cert to use with Exchange but you may check certificate generation portion in below article...
Load Balancing Exchange 2007 Client Access Servers using Windows Network Load-Balancing Technology Part 3: Creating Certificates and Testing Client Services
http://www.msexchange.org/articles_tutorials/exchange-server-2007/high-availability-recovery/load-balancing-exchange-2007-client-access-servers-windows-network-technology-part3.htmlAmit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2009 5:28am
Yes I'm in a lab but I prefer to use the product as it was in a production environment so I will be eventually buying a real cert. I was actually looking at the standard ucc cert from godaddy. As I stated above I want to use owa, outlook anywhere, and eventually play around with the voice integration through an open source pbx. http://www.godaddy.com/gdshop/ssl/ssl.asp?ci=9039
July 21st, 2009 5:13pm
Godaddy is 89.99 a year for their UCC certs. I'm not sure where you're getting the $200 number. I've used Godaddy on several clients, but some devices dont have them as trusted roots (probably ok for your lab).More here:http://mike-crowley.spaces.live.com/blog/cns!C23CB95E1200929!178.entry
Mike Crowley A+, Network+, Security+,
MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2009 8:38pm
Yes I quoted the Godaddy price wrong my fault I plan on going with one of there certs as of right now. I'm not really worried about active sync that much I'm more into the Blackberry anyway however I am curious in finding a list of what providers that will work with the majority of phones. My whole thing with this is how do you know that you need the more expensive ucc cert for example what if you were only doing owa or outlook anywhere could you not use the cheap 29.00 cert for that? Now I know if you do owa, outlook anywhere, and unified messaging you need the ucc cert
July 21st, 2009 9:17pm
You only need the UCC cert if you want to include multiple subject names. Autodiscover being the main one... If you dont want autodiscover you can use a single name cert. (advice varies on use of edge server, multiple CAS servers, etc)Read here for more: http://msexchangeteam.com/archive/2007/07/02/445698.aspx
Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2009 10:02pm
Hi,
As Mike Crowley explained, you are only required to have UCC cert if you want to include multiple subject names in Certificate. Nevertheless, actually, we have some methods to configure Exchange Server to use a single name certificate.
For example, you would like to use mail.domain.com URL to access OWA. For Autodiscover, the external Outlook 2007 client which cannot connects to DC use hard coded autodiscover URL (autodiscover.domain.com) to access Autodiscover service. Therefore, autodiscover.domain.com needs to be included in Subject Alternative Name of certificate. Nevertheless, Microsoft provides other method to have the external Outlook 2007 client get URL (mail.domain.com) to access the Autodiscover service such as SRV record.
A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
http://support.microsoft.com/kb/940881/en-us
For Outlook Anywhere, you can also configure the Outlook Anywhere external host name to mail.domain.com.
For other service such as Availability service, OAB service, you can also configure their internal/external URL manually to match the mail.domain.com.
For your reference:
Certificate Use in Exchange Server 2007
http://technet.microsoft.com/en-us/library/bb851505.aspx
Mike
July 22nd, 2009 9:34am