Exchange 2013 & SSL Certificates

Forums › IT Pro and developers › Exchange 2013 & SSL Certificates

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#129520 18-Sep-2013 15:21

I'm helping a friend with a personal exchange install. He doesn't want to shell out the money required for a UCC certificate so I was wondering whether you are able to make all the common access services (owa, ews, ecp etc) under the same external name, mail.domain.com and get a single SSL for that. For reference, the internal domain is the same name as the public domain which he owns.

By combining together, you would only need four SSL certs;

mail.domain.com
<SErvername>.domain.com
autodiscover.domain.com
domain.com

Would that work?

gjm

810 posts

Ultimate Geek
+1 received by user: 122

#897780 18-Sep-2013 15:48

If its just for personal use why not just use a self signed cert?

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

Inphinity

2780 posts

Uber Geek
+1 received by user: 1184

#897786 18-Sep-2013 15:54

gjm: If its just for personal use why not just use a self signed cert?

Unless you're using Outlook Anywhere, or some of the few other features that won't work with a self-signed cert, I agree - for personal use, I don't see a problem.

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#897792 18-Sep-2013 15:56

It's outlook anywhere thats the issue. Internal is not a problem, you can set up a CA for that or other methods but accessing via the internet is what he wants including Activesync. A self-signed cert is not regcognised by browsers external to his domain.

Dynamic

4015 posts

Uber Geek
+1 received by user: 1851

ID Verified

Trusted

Lifetime subscriber

#897796 18-Sep-2013 16:02

I've not rolled out Exchange 2013 except in a test environment.

If it's for personal use, you can just put up with the slight hassles of sticking with the default self-signed certificate. You don't HAVE to spend money. Some mobile devices are picky about self-signed certificates, but others just let you OK a certificate warning once.

For our clients with Exchange 2010 we have just been using these inexpensive cerificates ($35/year http://www.trustico.co.nz/rapidssl/who-is-rapidssl.php) with zero hassles. We are not using autodiscover over the internet on any of these sites.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Inphinity

2780 posts

Uber Geek
+1 received by user: 1184

#897797 18-Sep-2013 16:02

Activesync is quite distinct from Outlook Anywhere, and should work with a self-signed cert. Most implementations of it have an option along the lines of "Accept all SSL Certificates" or "Accept self-signed SSL Certificates" you can enable.

That said, yeah, Outlook Anywhere will require an SSL cert to the mail server. You shouldn't need any other address certified though, so mail.domain.com should be fine. Autodiscover is good and all, but unless you're regularly re-setting-up Outlook, I'm not sure there's really a need.

Dynamic

4015 posts

Uber Geek
+1 received by user: 1851

ID Verified

Trusted

Lifetime subscriber

#897801 18-Sep-2013 16:11

With Outlook 2003 connecting to and Exchange 2003 we used to import the server's certificate into Internet Explorer as a Trusted Root Certificate.

Here are some old instructions that you may be able to find an updated version of for more modern software. http://blogs.technet.com/b/asiasupp/archive/2007/05/29/self-signed-certificate-issue-when-connecting-to-the-exchange-server.aspx

On Windows 7 you had to run IE as administrator before importing the certificate. (Start, type iexplore.exe, right-click, run as admin)

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#897803 18-Sep-2013 16:14

GoDaddy do a multi-domain SSL cert for about $100 a year

Twitter: ajobbins

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#897805 18-Sep-2013 16:16

Thanks for the suggestions guys. He's trying to avoid lots of money as he is a student so doesn't mind the cheap single SSLs ($6 per one roughly, maybe a bit more depending on who you use). For business I'd use the SAN approach but for personal use it would be overkill.

Chris

gehenna

8667 posts

Uber Geek
+1 received by user: 3883

Moderator

Trusted

Lifetime subscriber

#897807 18-Sep-2013 16:23

These guys are cheap and work fine: https://www.securepaynet.net/ssl/ssl-certificates.aspx?ci=53341&prog_id=417826

engedib

254 posts

Ultimate Geek
+1 received by user: 93

#907933 4-Oct-2013 15:24

Benoire: Thanks for the suggestions guys. He's trying to avoid lots of money as he is a student so doesn't mind the cheap single SSLs ($6 per one roughly, maybe a bit more depending on who you use). For business I'd use the SAN approach but for personal use it would be overkill.

Chris

It is working fine with a non SAN certificate as well, you just have to make sure that the split DNS works fine and the external / internal URLs properly configured in Powershell http://social.technet.microsoft.com/wiki/contents/articles/5163.managing-exchange-2010-externalinternal-url-s-via-powershell.aspx

MCSE+M/S, MCITP

wasabi2k

2102 posts

Uber Geek
+1 received by user: 860

#907966 4-Oct-2013 15:40

If you are deploying a single server solution - yes.

If you are deploying multiple sites, no.

our cert is valid for:

1. autodiscover.domainname
2. external web services url (activesync, owa, outlook anywhere, oab)
3. internal web services url
4. CAS server FQDN

1 isn't needed if you use DNS SRV to point autodiscover to your webmail URL
2 and 3 can be the same if you use split DNS
4 isn't needed if you aren't doing multiple sites

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

Benoire

2878 posts

Uber Geek
+1 received by user: 681

#907967 4-Oct-2013 15:50

I actually got it working with SNI on IIS 8. Set the host name, and I can use individual certs to solve the single IP issue. Effectively I secured the server with 4 certs for $80 for 5 years, compared to a SAN which would cost around $500-$1,000 for the same time period.

Chris