Outlook Web Access Certificate

[Friez]

Gahhh!

Okay so here's the problem: We've set up exchange and got outlook web access and all that lovely stuff. We've made our own temporary certificate which of course makes IE scream 'ITS DANGEROUS JIM, DONT CLICK IT'. Of course, everyone must accept the certificate in order to get into their mail.

Well, I've been tasked in getting a genuine certificate for the server to shut up this message, except I'm not entirely sure of:

a) What certificate to get *exactly*
b) How to go about installing it (although this is not the big kicker).



Here's our incredibly fubar setup:

Our Internal Mail Server uses a smart host at SWGfL for delivery.

Our outfacing website (.org) REDIRECTS to a subdomain of our SWGfL website (.sch.uk) which is bound to the IP of our OWA webserver.

Our email addresses all use the domain name of the outfacing website.

RIGHT! So what certificate must we install onto our mail server in order to have it all work from our .org site?

Do I use the domain name of the .org, or the .sch.uk or something else?

*headache*

Many thanks in advance.

[apeo]

You may find this useful:

Create your own CA

To answer your question, i would say the sch.uk one as your org one redirects to the sch.uk so your actual url is sch.uk

[ZeroHour]

Buy for the .sch.uk domain imho.
Do you use OMA/Activsync?
If the url of the OWA is on the sch.uk domain then you need that server secured. Getting this setup can be simple and it can be hell.
What kind of firewall/proxy do you use that sits between OWA and the internet?

[Friez]

We don't use activsync or anything like that, just basic OWA access to their email. The systems not fully in place yet (the majority are still using easymail) but we hope to roll over soon!

I don't think we'll have much problem with firewalls or the like, it's just knowing which domain name to register the certificate for since theres so many blasted domains in the equation

[ZeroHour]

It depends, if you were say using ISA 2004+ and using exchange publishing then yeh it makes a difference.
We bought our certificate through GeoTrust and it was a QuickSSL Premium which has the correct root certificates so mobile devices would work as well.
If you dont need this then comodo are one of the cheapest and biggest.
We had a couple of issues getting the companies to issue certificates though due to whois problems.

Also note you can not change the url and external ip once you buy a cert fyi.

[binky]

We use ipsCA its trusted, so mobile devices work and you don't get that certificate error / warning. You shouldn't need an EV Certificate either.

and I bet I can beat all your prices (here's the best bit)....

ipsCA is free for schools!

[joe90bass]

It depends, if you were say using ISA 2004+ and using exchange publishing then yeh it makes a difference.
We bought our certificate through GeoTrust and it was a QuickSSL Premium which has the correct root certificates so mobile devices would work as well.
If you dont need this then comodo are one of the cheapest and biggest.
We had a couple of issues getting the companies to issue certificates though due to whois problems.

Also note you can not change the url and external ip once you buy a cert fyi.

Digging up an old thread here. Has anyone used comodo? I've just ordered a cert from them and then found out that they require photo ID, (I didn't see this mentioned when I read through their site) they will only accept senior management photo ID and not surprisingly our head is not happy to do this, can't see any others being either! As a NM I'm too lowly a being for them to accept my ID......

[pooley]

Digging up an old thread here. Has anyone used comodo? I've just ordered a cert from them and then found out that they require photo ID, (I didn't see this mentioned when I read through their site) they will only accept senior management photo ID and not surprisingly our head is not happy to do this, can't see any others being either! As a NM I'm too lowly a being for them to accept my ID......

Ditch them m8 and go with ipsCA works fine here and has been posted its entirely free

[joe90bass]

I tried signing up and never heard back from them. Will have to try again!

See you on the 3rd!

[pooley]

If I remember right, you have to have an admin@ email address