SSL certs...which way to go

[YeOldeStonecat]

With SBS08 wanting certs for RWW, and Exchange 07 being a pain with self generated certs, time to jump on the SSL cert bandwagon and start wrapping my tired mind around them.

My primary purpose will be for SBS setups, and a few OWA setups on dedicated Exchange.

I'm just trying to find the best approach in my head. I tend to get pretty custom with DNS aliases....
https://office.myclient.com/remote for RWW
mymail.myclient.com/exchange or /owa for e-mail
Sharepoint.myclient.comort

But what I usually do for these, is make an A-Record in DNS for the FQDN of the server
clients-sbs.myclient.com
And then I"ll make cnames for stuff like office, mymail, etc...pointing to the a-record.

Now....looking over at GoDaddy.com,
http://www.godaddy.com/ssl/ssl-certificates.aspx?app_hdr=
they have their upper end package, the "unlimited/wildcard" package, at $199.00 per year. Seems overkill to me. But it talks about you can do www.mydomain.com and shop.mydomain.com, etc.

They have some mid-range package, the multiple domains UCC package, 89 bucks/year for the up to 5 domains one. Now if you hover your curser over it...it still gives an example like www.mydomain.com and www.mydomain.net and shop.mydomain.com
So.."shop" again..there's that flexibility I'm looking for.

I'm not looking to do SSL certs for website, carts, shopping sites, stuff like that..I would tend to leave that in the hands of clients website developers. I'm just looking for certs for more SMB needs like with OWA and SBS RWW portals....to get away from those ugly browser errors. What are peoples advice?

 

[SJConsultant]

We setup our clients with a domain name and use RapidSSL's wildcard cert to setup domains such as www.domain.com, exchange.domain.com, vpn.domain.com, etc.

Honestly $199 isn't that bad of a deal when you consider the major players like Thawte, Versign, and Geotrust charging hundreds and sometimes a thousand dollars or more for the same functionality.

We've chosen RapidSSL because their SSL certs are "single chain root" meaning you only need to deal with installing their SSL Cert and not having to fiddle with intermediate certificates.

The reason I bring that up is because some handheld mobile devices don't like "intermediate" certs and refuse to work. At least with RapidSSL we don't need to touch any end user device (to import certs) in order to get the SSL working correctly.

 

[mattjw916]

Most people (even IT people) don't understand certificates or anything about trusted CA issued versus self-signed certs so they blindly ignore the warnings anyway. If you just want to get rid of the warnings you can uncheck the box in the browser config so you don't get the annoying extra page to click through (or push the setting though Group Policy or whatever else the sites use for configuration management).

Other options are make your own CA and manually install the certs (so at least they are not self-signed) or pay for certs and keys from Verisign or whomever. GoDaddy has always seemed a little shady to me but that's probably just because I work on gov't systems usually.

 

[swatbat]

Some phones have issues with self signed certs and firefox gives more then just a continue anyway.

Anyway YeOld why not do it the sbs08 way and just have a single gateway point? By default it does remote.domain.com

Or just buy one cert and use the redirector feature in iis so the subdomain points to the one with the ssl/folder needed since owa and rww both are in the same folder in sbs? Just some food for thought. Doing it this way gives you the option of paying 30 bucks a year for a single ssl.

 

[marley1]

yes, with SBS 08 stick to the one. remote.

godaddy cheapest cert works fine.

its what i have been telling you for years now =)

been using the same ones in sbs 03, server 03, etc.

with sbs08 you dont need any of those cnames or redirector, pretty easy for a client to remember remote.domain.com - has access to all inone.

 

[archivalbackup]

Do not use go-daddy ... most every device will complain about the certificate. Go-daddy is not included in the root-certificate file that is included on most devices; my company uses a go-daddy wildcard and everything complains about it, especially iPhones, iTouches, and firefox.

If you need SSL especially if you plan to use it as part of a business, pony up and get a proper certificate that is included in the default root trusted authorities.

 

[marley1]

^ shens on that.

just checked about 6 domains we have using godaddy cert, no issue in firefox, chrome, ie.

no issue i can recall adding iphones to the exchange activesync.

maybe you didn't install it right?

 

[archivalbackup]

^ shens on that.

just checked about 6 domains we have using godaddy cert, no issue in firefox, chrome, ie.

no issue i can recall adding iphones to the exchange activesync.

maybe you didn't install it right?

I didn't install it, but the person who did could just be incompetent, wouldn't be the first time.

It may depend on the version of firefox, what version are you running?

My iPhone still gives me fits about the certificate when connecting to a WPA2 enterprise domain signed with that certificate. I will add that a friend that works in the EMR industry has had bad experiences with go-daddy certificates as well.

 

[marley1]

newest version of firefox.

i think when i connect the iphones to the domain it gives some issue about security, not really sure, just hit okay and it still works.

for small biz i dont think it matters though. not really sure what error happens with the phone.

what other cheap SSL are there? i have wanted to buy the cert through teh SBS 08 console but my clients like the cheap price for the ssl.

 

[Haven]

I think Exchange requires a Unified Communications Certificate, not just a wildcard certificate. For our Exchange server we bought ours from Digicert. There is a study out there and Digicert had that sweet spot of lowest price while still being trusted by everyone.

 

[keenan]

I tend to use RapidSSL certs from namecheap. Like $10/year, single-root - makes sense when you've just got a single server. You don't get the thorough verification of your real-life identity, but for any non-ecommerce usage I don't see why that's necessary. There's really no advantage to a root-signed certificate other than avoiding the browser warnings, creating a CA for your company and having your users install it as trusted is an extra step that can avoid the cost completely and will let you issue as many certs as you need for different machines, and is actually more secure (since you have sole control of the signing key) but it means users need to establish that trust or they will get warnings. If you have administrative control over all client machines I would say just do that and push the cert to them, if you're going for random external client access the $10/yr seems well worth it to avoid the warnings.

But if Exchange has special requirements maybe that won't work, it wouldn't surprise me if you need a dozen different CN's in the cert for Windows' stuff to work right.

 

[StarTrek4U]

I think Exchange requires a Unified Communications Certificate, not just a wildcard certificate.

Nope, you can use either.

I purchased a 3-yr Go-Daddy cert for our new Exch 2010 server, no issues with warnings, etc. Works fine will all browsers and devices and supports the multiple names that people connect to it with. Plus if I ever need to add a new entry to it re-issuance is easy. I know others have used RapidSSL and DigiCert so any of those 3 are probably fine unless you happen to be in the financial sector where the typically stick with the "big names"

YeOlde, to answer the question either a wildcard or UCC cert will do what you're looking for just fine. Find the best deal you can and get it installed.

 

[calvinj]

We tend to use the cheap go daddy certs, but when we are doing certs they are just for OWA, so just a simple mail.domain.com.

The only thing that we didn't like at the time we set them up is the intermediate cert that we had to setup. Other than that we have had no issues with it.

 

[YeOldeStonecat]

Thanks for the input all..appreciated.
So I recon the steps.....make a DNS name, such as office.myclient.com
And just purchase an SSL Cert with that name?

And now...back to setting up...this dang Acer Aspire 1 that some nurse gave me to set her up to remote into the terminal server from home. Yeah..9.something inch screen..RDP with your healthcare program will run GREAT on that! ROFL.

 

[marley1]

yes, by default SBS 2008 makes remote.domain.com and I think its recommended to keep it that way.

one cert for that, installed through teh SBS Wizard (like all SBS) is all you need. We have great luck with the GoDaddy ones. Let me know which one you decide. We have all our registar and ssl in one place.

nice screen! get on aim fool!

 

[SJConsultant]

Thanks for the input all..appreciated.
So I recon the steps.....make a DNS name, such as office.myclient.com
And just purchase an SSL Cert with that name?.

Not quite that simple.

You need to go into IIS and create a "certificate request" .

When you purchase the SSL Certificate, it will ask you for the "certificate request" you will either upload the text file or copy paste into a webform.

Once the SSL cert is approved, it will be emailed to you where you'll need to import the SSL Cert into IIS.

If you go with a wildcard, be sure to specify *.domain.com

 

[marley1]

^ do all that from the SBS console or have fun with issues in SBS 08 =)

correct way in the SBS 03 or SBS 08 is to go through wizard, fill in information, copy that code to the SSL company and then continue.

 

[TechieSooner]

I use the UCC 5 Domain cert for $90/year.
That enables you to setup a mail.domain.com, a server.domain.com, a server.domain.local (if you want to use local names, too), autodiscover.domain.com... Pretty much covers all bases.

FWIW, as far as naming... Use mail.domain.com if you can. I discovered the exchange.domain.com people misunderstood "exchange" alot if talking over the phone. "Change? What???" Mail is pretty straightforward, also shorter.

 

[TechieSooner]

There's also 25% off coupons from GoDaddy when you spend over $100 out there... (Buy the certs for two years to get that).

 

[swatbat]

^ do all that from the SBS console or have fun with issues in SBS 08 =)

correct way in the SBS 03 or SBS 08 is to go through wizard, fill in information, copy that code to the SSL company and then continue.

Yea SBS makes it easy. With exchange 07(guessing 10 as well) it will create its own self signed ssl cert for outlook 07 and above. When you replace the ssl with your own for external use you need to reconfigure exchange so it says it is that as well so you don't get an ssl error when opening outlook 07. sbs takes care of that.

 

[Protoform-X]

For SBS08 make sure you install using the wizard. Else you'll have all kinds of fun problems.

 

[Deimos]

You could just create your own trusted CA server, then all your PCs joined to the domain will automatically trust it.
For any PCs not on the domain you just install the root server cert as a trusted CA, all done, works on smart phones too.

 

[TechieSooner]

For any PCs not on the domain you just install the root server cert as a trusted CA, all done, works on smart phones too.

Yea because that's entirely economical to do to every other machine on the internet

Sometimes, you just have to pony up the money and do it right.

 

[mattjw916]

Yea because that's entirely economical to do to every other machine on the internet

Sometimes, you just have to pony up the money and do it right.

What he suggested is actually quite common in the corporate world. Every major company I have worked for (as well as some of my customers including my current) has their own CA.

Additionally, government networks generally don't rely on "public" companies like GoDaddy to issue certs either.

You will find in IT there is rarely one "right" answer.

 

[marley1]

using your own is fine for internal, but phones and outside is a pain.

unless you can make your own authenticated over the web,.

 

[mattjw916]

Beware GoDaddy fans...

http://blog.sucuri.net/2010/02/godaddy-store-your-passwords-in-clear.html

 

[SJConsultant]

Beware GoDaddy fans...

http://blog.sucuri.net/2010/02/godaddy-store-your-passwords-in-clear.html

Which relates to GoDaddy SSL certs how?

 

[mattjw916]

Open ticket and get your account passwords... awesome system there... do I need to get some crayons to diagram it for you?

 

[Deimos]

Yea because that's entirely economical to do to every other machine on the internet

Sometimes, you just have to pony up the money and do it right.

OK sure but it really depends on what your using the cert for, if you are talking about a retail site that takes credit card info or something similar, then I see your point however if you are only using it for corporate email (webmail or RPC over HTTPS) then whats wrong with having an internal CA?

 

[SJConsultant]

Open ticket and get your account passwords... awesome system there... do I need to get some crayons to diagram it for you?

No need to cop an attitude so quickly. It was a legitimate question as I don't have any dealings with Godaddy for any of their services.

But since you offered, please draw out how obtaining an SSL certificate from GoDaddy for a non-GoDaddy website is in any way related to that blog.

 

[mattjw916]

This is not an example of what I would consider a "trusted" company...

http://it.slashdot.org/story/10/02/24/235249/GoDaddy-Wants-Your-Root-Password

 

[TechieSooner]

Um, did you even read what GoDaddy did to remedy the situation (They changed their processes company wide)? Or do you just like spreading FUD around?

 

[mattjw916]

Had they not been "caught" would they have ever changed the policy? What else have they not been "caught" doing yet? Shady company is shady...

I guess if you don't have anything to lose or protect, you don't care about security, privacy, integrity, etc...

 

[TechieSooner]

Because every individual and every company on earth does everything bad on purpose and makes no mistakes.

 

[keenan]

All it takes is a look at GoDaddy's marketing to realize they're a sleazy, unprofessional company. GoDaddy Girls? TV spots with hot girls implying there are videos of them kissing each other online? Videos with captions on their website like "5 things I wish I learned in BUSINESS SCHOOL. PLUS ... a smoking HOT blonde." and "TOO HOT FOR TV, INTERNET ONLY VERSION"

And that's not even mentioning the allegations leveled against them for squatting on domains users search for but don't register, or situations like this.

Why on Earth anyone would patronize this company is beyond me. They're incredibly unprofessional, regardless of whether there's intended malice or not (though personally I suspect they try to get away with as much as possible). And their service itself is nothing special.

 

[TechieSooner]

Usually, I'd agree. But honestly, their products (at least that I use) work darn well at a good price and that's really all that matters to me.

 

[boatasiaus]

A little thread resurrection here...

Before I purchase a cert for Exchange 2007, can someone confirm the appropraite UCC cert's alternate names:

Servername
Servername.mydomain.local
Servername.mydomain.com
autodiscover.mydomain.com
mydomain.com -> or should it be remote.mydomain.com

Do I need an

owa.mydomain.com or is this accomplished via the autodiscover

Thanks

 

[YeOldeStonecat]

Well it looks like I botched this one up on first attempt....
Generated a cert from ISS on an SBS03 box.....for the FQDN of the box, example..."sbs.myclient.org"
However, I want the cert to cover other aliases....such as "office.myclient.org" and "mymail.myclient.org", etc.
So when I plug https://sbs.myclient.org/remote into IE to get into RWW...it's nice 'n clean. If I plug in https://office.myclient.org/remote I still get the ugly IE cert warning. I need to get rid of that, I though a 5x domain cert from GoDaddy would allow some flexibility.

 

[TechieSooner]

A little thread resurrection here...

Before I purchase a cert for Exchange 2007, can someone confirm the appropraite UCC cert's alternate names:

Servername
Servername.mydomain.local
Servername.mydomain.com
autodiscover.mydomain.com
mydomain.com -> or should it be remote.mydomain.com

Do I need an

owa.mydomain.com or is this accomplished via the autodiscover

Thanks

What I use:
server.domain.local
server.domain.com
server2.domain.com
server3.domain.com (These last two are just additional aliases).
autodiscover.domain.com

That's it. The public website is hosted elsewhere so I don't need a domain.com entry.

Well it looks like I botched this one up on first attempt....
Generated a cert from ISS on an SBS03 box.....for the FQDN of the box, example..."sbs.myclient.org"
However, I want the cert to cover other aliases....such as "office.myclient.org" and "mymail.myclient.org", etc.
So when I plug https://sbs.myclient.org/remote into IE to get into RWW...it's nice 'n clean. If I plug in https://office.myclient.org/remote I still get the ugly IE cert warning. I need to get rid of that, I though a 5x domain cert from GoDaddy would allow some flexibility.

Just re-generate the request and re-do the cert. Make sure you add both the sbs.myclient.org, office.myclient.org into there though.

 

[YeOldeStonecat]

Just re-generate the request and re-do the cert. Make sure you add both the sbs.myclient.org, office.myclient.org into there though.

This is the part I'm brain farting on....
So when I'm on the server in IIS doing the generate request weeeeezard, instead of just plugging in the FQDN for the server...such as sbs.myclient.com, I type in several aliases? In the fashion of doing multiple e-mails...separated by a semi colon? Or separated by a comma, and space?