SSL Certificates- Advice required

[DigitalWreck]

I'm just about to go live with my OWA and i've spent a lot of time looking in to SSL certificates. During my testing procedure i produced my own certificate which worked fine. Before i go live i just wanted to know if anyone thinks its a bad idea to use your own certificates as opposed to purchasing certificates from a company such as veritas and what are the real advantages for the paid service?

Any ideas would be great. Thank you

 

[58sniper]

Internally created certificates are not trusted. So, if you're attempting to get to your OWA site remotely from a public workstation, you'll get the security warning. In IE7, it really discourages users from going forward.

With a trusted certificate, users won't get that prompt.

rapidssl.com has certificates at 70 bucks a year, and they take 5 minutes to create, purchase, and install.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[markdmac]

I'd have to do some digging, but I had found a public cert service that was free. (out of Australia as I recall).

I hope you find this post helpful.

Regards,

Mark

 

[58sniper]

I'd certainly be interested in that - if it's trusted.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[markdmac]

An MSN or GOOGLE search for free SSL Certificate will give you lots of possible choices. Having trouble finding the site I used for a client as it was about a year ago and I no longer work for the company where the details are saved, but I can attest that free and recognized sites are available out there.

Personally I would just use the self signed cert and click to install the cert. My experience is that the majority of OWA users are accessing from home computers anyway.

I hope you find this post helpful.

Regards,

Mark

 

[markdmac]

I gave a call over to the client that had this, he won't be back in the office until Monday but maybe then I will be able to get the name of the company I had used.

I hope you find this post helpful.

Regards,

Mark

 

[58sniper]

Well, freessl.com will give you a trial cert. They are part of rapidssl.com. Then, you get quite a discount when you upgrade.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[DigitalWreck]

Thanks for all the advice.

So the only disadvantage is that the user will have to say 'yes' to the warning before they can access the owa site.

Am i right in assuming that some public internet places such as internet cafes will prevent users from accepting the certificate?

 

[58sniper]

I don't know about that, but I do know that if you don't have a trusted certificate, getting RPC over HTTPS is more difficult, as is ActiveSync on Exchange.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[markdmac]

Using Outlook over HTTP isn't really a problem in my opinion because people would only be setting that up at home, not an Internet cafe. So having a self signed cert means nothing to them. Just give them a doc to follow on how to configure it and they will be happy.

Regarding Server ActiveSync, MS has a free tool for disabling Cert Checking on a SmartPhone or PPC.

I think the real question you need to ask yourself is will customers (not employees) need to use the cert. If yes then go with a public one. If it is just for employees, a self signed cert is fine.

I hope you find this post helpful.

Regards,

Mark

 

[NickFerrar]

Regarding EAS, disabling cert checking is no longer possible in Windows Mobile v5. Just been playing with this today and it's a bit of nightmare. As long as you can add certificates to your device you should be OK, otherwise you're screwed. We actually use VeriSign certificates here and although the device I have (QTek 9100) has a VeriSign root cert pre-loaded (I guess it's standard with Mobile 5) I had to install some intermediate certs before it would finally work.

 

[DigitalWreck]

Wow thst been really helpful guys.

I found an article on creating a second virtual directory in IIS for PDA users to access which will allow me to disable SSL and everything looks good.

With my particular scenario it will only be employees accessing email so i will use my own CA.

Once again, thanks for all the advice.

Now my next job is to get users to synch their PDAs wirelessly. Anything in particular I should look out for when doing this?

 

[markdmac]

http://support.microsoft.com/?id=912918

Also setting your IIS permissions up right is essential.

Default Web site
    Enable Anonymous access
    Integrated Windows Authentication
Exadmin
    Integrated Windows Authentication
    Require SSL
        Require 128 bit
Exchange
    Basic Authentication
        Default Domain \
Exchange-oma
    Integrated Windows Authentication
    Basic Authentication
ExchWeb
    Enable Anonymous access
    Require SSL
        Require 128 bit
Microsoft-Server-ActiveSync
    Scripts and Executables
    Exchange Application Pool
    Basic Authentication
        Default Domain DomainName
OMA
    Scripts Only
    ExchangeMobileBrowseApplicationPool
    Basic Authentication
        Default Domain DomainName
Public
    Basic Authentication
        Default Domain \
    Require SSL
        Require 128 bit

I hope you find this post helpful.

Regards,

Mark