Announcement

Collapse
No announcement yet.

Exchange certificate - can I reuse the current one?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange certificate - can I reuse the current one?

    Currently I have 2003 environment with OWA, activesync etc.. I setup my own certificate authority on one of the servers, I made my own certificate and everything has worked well for years, our phones use SSL as does OWA

    (of course on OWA the users may get a warning about it not being verifiable depending on their settings). This is ok for us.

    This certificate is not for mail.company.com , but instead for our internal server name , lets call it SERVER1 (which is the one that has 2003 OWA and CA installed on it).

    can I use this same cert to secure outlook, outlook web app and activesync in exchange 2010?


    I do not need nor want RPC over HTTPS for outlook anywhere in case that makes a difference.

  • #2
    Re: Exchange certificate - can I reuse the current one?

    Most probably not, you have to provide a certificate with more then one name, also called UC or SAN certificate.

    But if you already have a internal CA it's a questions of minutes to get a new certificate for Exchange 2010 where the server and the users are happy with.

    For Active Sync you have to find a way to provide the devices with the certificate from your CA.

    If you are not familar with the whole tasks it's probably better to use a certificate provided by a official CA, but as always it's up to you.

    Comment


    • #3
      Re: Exchange certificate - can I reuse the current one?

      Running your own certificate authority for anything public facing I see as a poor economic decision. Once you have found a way to get the root certificate on to each device and then deployed it, the financial saving isn't worth the cost saving.

      Plus you will always get a certificate prompt on OWA access, and telling users to ignore prompts is a bad idea. A unified communications certificate, trusted by most mobile devices is less than US$80/year. Install it, forget about it.

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: Exchange certificate - can I reuse the current one?

        Originally posted by FischFra View Post
        Most probably not, you have to provide a certificate with more then one name, also called UC or SAN certificate.

        But if you already have a internal CA it's a questions of minutes to get a new certificate for Exchange 2010 where the server and the users are happy with.

        For Active Sync you have to find a way to provide the devices with the certificate from your CA.

        If you are not familar with the whole tasks it's probably better to use a certificate provided by a official CA, but as always it's up to you.
        yeah after I made the thread I found a really nice guide at emailsecuritymatters.com that walks through doing the right kind of certificate for exchange 2010. I will just make a new one

        and deploying it to devices is not a big deal either, sure it's manual labor for most part but what are you gonna do, lol

        Comment


        • #5
          Re: Exchange certificate - can I reuse the current one?

          Originally posted by Sembee View Post
          Running your own certificate authority for anything public facing I see as a poor economic decision. Once you have found a way to get the root certificate on to each device and then deployed it, the financial saving isn't worth the cost saving.

          Plus you will always get a certificate prompt on OWA access, and telling users to ignore prompts is a bad idea. A unified communications certificate, trusted by most mobile devices is less than US$80/year. Install it, forget about it.

          Simon.
          I'm not arguying against this, I would love to and we probably will be buying a cert, but for the migration itself I would just prefer to avoid it. Our OWA use ise VERY limited, maybe few people use it per week (if that) , it's mostly activesync

          who would you recommend for the signed cert? I found digicert for around $115, can't say I have seen anything under $100/yr.

          Comment


          • #6
            Re: Exchange certificate - can I reuse the current one?

            www.godaddy.com or www.certificatesforexchange.com are under $80 per year on a 3 year cert
            (Actually the latter us $60 per year regardless)
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Exchange certificate - can I reuse the current one?

              this may be a dumb question, but with a signed cert I wouldn't need to deploy it to each smartphone? I can't say I am an expert on certificates, but I was under the impression that the process is the same

              Comment


              • #8
                Re: Exchange certificate - can I reuse the current one?

                No -- devices will use the chain of trust:

                Smartphone trusts Verisign (other providers exist) -- this trust is builtin to the phone OS
                Verisign trusts GoDaddy
                GoDaddy trusts your server

                therefore phone trusts your server

                Zero effort on the client side -- well worth the $$$
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: Exchange certificate - can I reuse the current one?

                  well that explains the cost, lol

                  alright you've convinced me, I'm buying one from http://certificatesforexchange.com/

                  thanks for all the help!

                  Comment


                  • #10
                    Re: Exchange certificate - can I reuse the current one?

                    certificatesForExchange.com is the best place for sure. I got one just the other day - relatively quick and easy. (And I'm reselling it to someone, so I took advantange of a coupon ?I found somewhere)

                    The other reason that I don't think I've seen listed above yet is, ignore all the RPCoHTTP stuff, but exchange 2007/2010 rely very heavily on Autodiscover and EWS services - both of which need a UCC certificate bound to them...
                    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                    Comment

                    Working...
                    X