SSL Certificates with Exchg07 & Mobile Devices

[epsilon6]

Has anyone successfully purchased SSL Certificates with Exchange 07 and have the mobile devices accept them (like Palm Treo 750)?

If so, what kind of SSL certificates do I need to purchase? I head some people where having problems with GoDaddy SSL certificates. Can anyone help clarify?

 

[kornakmf]

Be careful, I just installed a certificate from

http://www.rapidssl.com.

They issue certificates that are from GeoTrust Client Services which is a trusted CA.

Everything works great except for ActiveSync to my Windows Moble 6 phone.

I have just posted a support request to see if someone can help.

http://www.tek-tips.com/viewthread.cfm?qid=1431647&page=1

I will let you know how it goes.

Mark

 

[58sniper]

Well, this is by far the most complex part of Exchange 2007. In fact, I wrote about 40 pages on it for a new book due out in February.

SSL is MUCH more complicated in Exchange 2007. You need to determine your requirement for Autodiscover. You'll likely want to use a Subject Alternative Name (SAN) certificate (also called a Unified Communications cert) in Exchange 2007. This will allow you to specify various names all in one cert.

There are only three CAs that sell SAN certs (last I heard), with Digicert being the favorite.

Pat Richard
Microsoft Exchange MVP

 

[Stevehewitt]

We ended up trying a wildcard SSL cert from GoDaddy. Should have been fine in theory (was in fact!) until we tried to get ActiveSync working. WM will NOT support wildcard SSL certs. Just gave up and got a cheap standard SSL from GoDaddy - no problems since. (Although WM5 devices will need the cert installing, WM6 won't)

Good Luck,



Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Cstorms]

I remember reading the other day something about some service in Exchange not being able to use SAN certs, for lack of being able to find it in my bookmarks can anyone clarify this?

Cory

 

[Stevehewitt]

You can use SAN certificates within Exchange 2007. Should work fine. Can't find a reference to it, but it's hidden away in TechNet somewhere!




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Cstorms]

Ok Ok, I found what I was thinking of, good ole browser history...

http://msexchangeteam.com/archive/2007/02/19/435472.aspx

In the comments for this article a fellow mentioned SAN certs do not work with ISA 2006.

I have yet to do alot of digging as I just refound it, but the sites that I have been skimming make publishing this type of cert using 2006 a huge task. (Impossible though?)

Thoughts?

Cory

 

[58sniper]

That's true about ISA and SAN certs.

A plain SSL cert will work, but will break Autodiscover to the outside world, and causes extra admin and setup tasks.

SAN is still the best if you're not using ISA.

Pat Richard
Microsoft Exchange MVP

 

[kornakmf]

I figgured this out.

I had to install the Root certificate for my CA on my PocketPC.

http://www.geotrust.com/resources/root_certificates/index.asp

Things worked great after that.

 

[cajuntank]

Wasn't there a list that showed what trusted certificate authorities were trusted in WM5 and WM6?
I will have to purchase a CA and was going with GoDaddy because I thought I remember GoDaddy being on the WM5 list, I know they were on the WM6 list... I do not want to have to install certs on all of the Treo 700w's well be getting.

 

[Cstorms]

Check your cert store on one of the Treos, Start - Settings - System - Certificates - (root tab)

Verify any conflicts you may have if you are going to use a SAN cert. (not sure of any since I havent used them ever but I would look for gotchas judging by some of the fuss around vendors, and support of all features)

Cory