Exchange 2013 & SSL Certificates

Forums › IT Pro and developers › Exchange 2013 & SSL Certificates

Benoire

2799 posts

Uber Geek

#129520 18-Sep-2013 15:21

I'm helping a friend with a personal exchange install. He doesn't want to shell out the money required for a UCC certificate so I was wondering whether you are able to make all the common access services (owa, ews, ecp etc) under the same external name, mail.domain.com and get a single SSL for that. For reference, the internal domain is the same name as the public domain which he owns.

By combining together, you would only need four SSL certs;

mail.domain.com
<SErvername>.domain.com
autodiscover.domain.com
domain.com

Would that work?

gjm

808 posts

Ultimate Geek

#897780 18-Sep-2013 15:48

If its just for personal use why not just use a self signed cert?

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

Inphinity

2780 posts

Uber Geek

#897786 18-Sep-2013 15:54

gjm: If its just for personal use why not just use a self signed cert?

Unless you're using Outlook Anywhere, or some of the few other features that won't work with a self-signed cert, I agree - for personal use, I don't see a problem.

Benoire

2799 posts

Uber Geek

#897792 18-Sep-2013 15:56

It's outlook anywhere thats the issue. Internal is not a problem, you can set up a CA for that or other methods but accessing via the internet is what he wants including Activesync. A self-signed cert is not regcognised by browsers external to his domain.

Dynamic

3869 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#897796 18-Sep-2013 16:02

I've not rolled out Exchange 2013 except in a test environment.

If it's for personal use, you can just put up with the slight hassles of sticking with the default self-signed certificate. You don't HAVE to spend money. Some mobile devices are picky about self-signed certificates, but others just let you OK a certificate warning once.

For our clients with Exchange 2010 we have just been using these inexpensive cerificates ($35/year http://www.trustico.co.nz/rapidssl/who-is-rapidssl.php) with zero hassles. We are not using autodiscover over the internet on any of these sites.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

Inphinity

2780 posts

Uber Geek

#897797 18-Sep-2013 16:02

Activesync is quite distinct from Outlook Anywhere, and should work with a self-signed cert. Most implementations of it have an option along the lines of "Accept all SSL Certificates" or "Accept self-signed SSL Certificates" you can enable.

That said, yeah, Outlook Anywhere will require an SSL cert to the mail server. You shouldn't need any other address certified though, so mail.domain.com should be fine. Autodiscover is good and all, but unless you're regularly re-setting-up Outlook, I'm not sure there's really a need.

Dynamic

3869 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#897801 18-Sep-2013 16:11

With Outlook 2003 connecting to and Exchange 2003 we used to import the server's certificate into Internet Explorer as a Trusted Root Certificate.

Here are some old instructions that you may be able to find an updated version of for more modern software. http://blogs.technet.com/b/asiasupp/archive/2007/05/29/self-signed-certificate-issue-when-connecting-to-the-exchange-server.aspx

On Windows 7 you had to run IE as administrator before importing the certificate. (Start, type iexplore.exe, right-click, run as admin)

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

ajobbins

5052 posts

Uber Geek

Trusted

#897803 18-Sep-2013 16:14

GoDaddy do a multi-domain SSL cert for about $100 a year

Twitter: ajobbins

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Benoire

2799 posts

Uber Geek

#897805 18-Sep-2013 16:16

Thanks for the suggestions guys. He's trying to avoid lots of money as he is a student so doesn't mind the cheap single SSLs ($6 per one roughly, maybe a bit more depending on who you use). For business I'd use the SAN approach but for personal use it would be overkill.

Chris

gehenna

8521 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#897807 18-Sep-2013 16:23

These guys are cheap and work fine: https://www.securepaynet.net/ssl/ssl-certificates.aspx?ci=53341&prog_id=417826

engedib

254 posts

Ultimate Geek

#907933 4-Oct-2013 15:24

Benoire: Thanks for the suggestions guys. He's trying to avoid lots of money as he is a student so doesn't mind the cheap single SSLs ($6 per one roughly, maybe a bit more depending on who you use). For business I'd use the SAN approach but for personal use it would be overkill.

Chris

It is working fine with a non SAN certificate as well, you just have to make sure that the split DNS works fine and the external / internal URLs properly configured in Powershell http://social.technet.microsoft.com/wiki/contents/articles/5163.managing-exchange-2010-externalinternal-url-s-via-powershell.aspx

MCSE+M/S, MCITP

wasabi2k

2098 posts

Uber Geek

#907966 4-Oct-2013 15:40

If you are deploying a single server solution - yes.

If you are deploying multiple sites, no.

our cert is valid for:

1. autodiscover.domainname
2. external web services url (activesync, owa, outlook anywhere, oab)
3. internal web services url
4. CAS server FQDN

1 isn't needed if you use DNS SRV to point autodiscover to your webmail URL
2 and 3 can be the same if you use split DNS
4 isn't needed if you aren't doing multiple sites

Benoire

2799 posts

Uber Geek

#907967 4-Oct-2013 15:50

I actually got it working with SNI on IIS 8. Set the host name, and I can use individual certs to solve the single IP issue. Effectively I secured the server with 4 certs for $80 for 5 years, compared to a SAN which would cost around $500-$1,000 for the same time period.

Chris