Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
3321 posts

Uber Geek
+1 received by user: 694

Trusted

  Reply # 1303231 13-May-2015 01:36
Send private message

Personally I use comodo
I tried godaddy - its not trusted properly by default on android devices so you need to install the chain? certificates on them before it will let you pass through without trust warnings. Not worth it for the end user.
Thats a problem with the cheaper providers. You really need one of the recognised brand names so the chain is pre-installed in windows/android/ios and already trusted.

So I just went with a comodo certificate for about $80 through www.namecheap.com




Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




2079 posts

Uber Geek
+1 received by user: 884

Trusted

  Reply # 1303312 13-May-2015 08:52
Send private message

raytaylor: Personally I use comodo
I tried godaddy - its not trusted properly by default on android devices so you need to install the chain? certificates on them before it will let you pass through without trust warnings. Not worth it for the end user.
Thats a problem with the cheaper providers. You really need one of the recognised brand names so the chain is pre-installed in windows/android/ios and already trusted.

So I just went with a comodo certificate for about $80 through www.namecheap.com


Are you sure you didn't forget to send the chain certificate from your webserver?
StartSSL has the same "problem", the certificate you get isn't trusted, but you configure your webserver to also send the chained certificate along with it and it works fine.

 
 
 
 


672 posts

Ultimate Geek
+1 received by user: 67


  Reply # 1303326 13-May-2015 09:32
Send private message

Quacko: I recommend DigiCert www.digicert.com


They are a step above the super-cheap/free certs, on par with those you would get from Thawte or Verisign, but cheaper.


+1 for DigiCert. Their support staff are also extremely efficient and knowledgeable. 



2091 posts

Uber Geek
+1 received by user: 849


  Reply # 1303336 13-May-2015 09:47
Send private message

raytaylor: Personally I use comodo
I tried godaddy - its not trusted properly by default on android devices so you need to install the chain? certificates on them before it will let you pass through without trust warnings. Not worth it for the end user.
Thats a problem with the cheaper providers. You really need one of the recognised brand names so the chain is pre-installed in windows/android/ios and already trusted.

So I just went with a comodo certificate for about $80 through www.namecheap.com


GoDaddy Intermediate Certs are not part of the default Java keystore (their roots are). As has been said you need to send the chain, not just the server certificate when you use them.

On a Netscaler this means adding the intermediate certs and linking them.

On most other appliances it means uploading a pfx with all certificates in the chain.

Realistically 99.9% of users don't even look at who issued the certificate. If you are protecting financial transactions I would go with a legit SSL provider with a long track history that you can call, not just email.

For OWA for a SME, who really cares as long as it works.







1704 posts

Uber Geek
+1 received by user: 410


  Reply # 1303448 13-May-2015 11:42
Send private message

For Outlook Anywhere..
This is what MS has to say
https://support.microsoft.com/en-us/kb/929395

ie a UC/SAN cert is needed.

But looking at servers with basic Digicert/Thwate IIS certs installed, Outlook Anywhere still works OK.
Thats all Im concerned with, Outlook Anywhere.

So I guess there is no straight answer as to what cert is ACTUALLY needed
Its almost as if cert sellers went out of their way to confuse & confuddle, perhaps to make price comparisons near impossible ?

2091 posts

Uber Geek
+1 received by user: 849


  Reply # 1304506 13-May-2015 13:34
Send private message

1101: For Outlook Anywhere..
This is what MS has to say
https://support.microsoft.com/en-us/kb/929395

ie a UC/SAN cert is needed.

But looking at servers with basic Digicert/Thwate IIS certs installed, Outlook Anywhere still works OK.
Thats all Im concerned with, Outlook Anywhere.

So I guess there is no straight answer as to what cert is ACTUALLY needed
Its almost as if cert sellers went out of their way to confuse & confuddle, perhaps to make price comparisons near impossible ?


Exchange can be complicated. Which SSL certs are you talking about and where are they installed?

Outlook Anywhere will use the ExternalURL to connect - this could be webmail.bob.com - if you have that SSL cert installed that might work.

But you also want to have autodiscovery work, so you need autodiscover.bob.com (or an SRV record).

You then also need your internal names to work for internal clients/cas servers to communicate with each other - so cas01.bob.com, cas02.bob.com, and even more names if your internal and external DNS are split. It is also good practice for your InternalURL and ExternalURL to be different and the InternalURL to not be resolvable externally.

If you have external load balancers you can have a single SSL cert for webmail.bob.com, then have all the internal stuff on internally issued certs.

Our Exchange cert has 10 SANs - as we need it to provide connectivity across 2 physical sites and 3 domains.


In short - if you are clever you can make it work (with some issues) without a SAN certificate - but the proper way to do it is to use one.


91 posts

Master Geek
+1 received by user: 22


  Reply # 1304866 13-May-2015 23:18
Send private message

1. Get a UCC SSL cert.
2. Register it for mail.yourdomain.com (or whatever your external fqdn is)
3. Register SANs for autodiscover.yourdomain.com
If your internal domain is externally invalid (ie yourdomain.local etc) then you need to configure your exchange to use external fqdns for all server communication (ie pointing everything at mail.yourdomain.com). You then need to configure a split dns inside your network so that internally your devices resolve mail.yourdomain.com to your internal ip address (ie 192.168.1.15). You external dns will point mail.yourdomain.com to its external ip address (ie 103.83.99.95).
If your internal domain is externally valid (ie internal.yourdomain.com) then you register the internal servers as additional SANs (ie cas01.internal.yourdomain.com).

I might still have the powershell scripts for both methods which ill see if i can dig out (they go through and change all the internal and external fqdns on the exchange server).

PS. I use godaddy and they work perfectly (you need to import the intermediate cert onto the web server). No issues what so ever in the last 6 years

Jas

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Orcon announces new always-on internet service for Small Business
Posted 18-Apr-2019 10:19


Spark Sport prices for Rugby World Cup 2019 announced
Posted 16-Apr-2019 07:58


2degrees launches new unlimited mobile plan
Posted 15-Apr-2019 09:35


Redgate brings together major industry speakers for SQL in the City Summits
Posted 13-Apr-2019 12:35


Exported honey authenticated on Blockchain
Posted 10-Apr-2019 21:19


HPE and Nutanix partner to deliver hybrid cloud as a service
Posted 10-Apr-2019 21:12


Southern Cross and ASN sign contract for Southern Cross NEXT
Posted 10-Apr-2019 21:09


Data security top New Zealand consumer priority when choosing a bank
Posted 10-Apr-2019 21:07


Samsung announces first 8K screens to hit New Zealand
Posted 10-Apr-2019 21:03


New cyber-protection and insurance product for businesses launched in APAC
Posted 10-Apr-2019 20:59


Kiwis ensure streaming is never interrupted by opting for uncapped broadband plans
Posted 7-Apr-2019 09:05


DHL Express introduces new MyDHL+ online portal to make shipping easier
Posted 7-Apr-2019 08:51


RackWare hybrid cloud platform removes barriers to enterprise cloud adoption
Posted 7-Apr-2019 08:50


Top partner named at MYOB High Achievers Awards
Posted 7-Apr-2019 08:48


Great ideas start in Gisborne with hackathon event back for another round
Posted 7-Apr-2019 08:42



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.