Web certificate

[edie209]

Has anyone had any experience of obtaining a web certificate. I am trying to make exchange available remotley and this will the first thing I need to set this up.

[Abaddon]

We have both a Thawte Certificate (for the Citrix portal), and an in-house certificate for the Web Access component of Exchange... it's easily done by setting up your own CA. As it will only be your users accessing it, and presumably trusting you, wouldn't that be ok for you?

[Joedetic]

Set up the CA server stuff that comes with windows server 2k3. I find it easiest to create a wildcard cert because it'll be easiest to transfer to your other servers.

Eg *.school.org

So that would allow you to use it for vle.school.org, exchange.school.org etc

[edie209]

Thanks guys just found that, probably the same time as you posted. Does anyone pay for their certificate?

[CyberNerd]

Thanks guys just found that, probably the same time as you posted. Does anyone pay for their certificate?

Wildcard certs are £769 for 2yrs or £150 for single certs here:
http://www.precedence.co.uk/internet/ssl/#prices

[Norphy]

Ramesys are setting us up a Sharepoint/Class Server based VLE and a 2 year signed certificate came as part of the deal. However, in the meantime for external access to our OWA I'm using an internal CA and just telling people to trust the certificate

[NetworkGeezer]

May be I was dreaming but isn't there someway of carrying the ceritficate on removable media? I only mention this if staff are very nervous about trusting a site which says it's the schools site.

[Geoff]

I just generate one on our Certificate Server (A linux box running OpenSSL).

[sahmeepee]

I just generate one on our Certificate Server (A linux box running OpenSSL).

And it's automatically trusted by their web browsers at home?? Presumably they have to agree to trust it as Norphy says.

[Geoff]

Not my problem(tm). There is a reverse proxy between the webserver and the rest of the universe. That runs a seperate HTTPS session I have no control over.

For example. Try going to our VLE.

https://vle.carrhill.lancs.sch.uk

You will notice (if you examine it) that the certificate is issued by CLEO (our RBC) not me/my school.

Internally everything is happy because we push out our own root CA certificates via active directory.

[klawd]

Ouch...high price...

I recently got a certificate for our OWA box...UK company...took about 5 minutes online, trusted by default in IE (no warnings)

$69, get it from here

http://www.rapidssl.com/ssl-certific...e-rapidssl.htm

[Joedetic]

Personally i dotn see the problem with putting something on the page with the link saying that it give the warnings but to look in the URL bar to see see an address shown in a print screen below. Saves you a lot of money......

[PiqueABoo]

I definitely would NOT pay for a cert for Exchange.. roll your own, write a little guide on how to install the CA cert... and if you're really keen on improving their behaviour, tell them how to verify the fingerprint on the CA cert before they install it. The only time this is a bit more painful is when you're getting MS-based PDAs to talk to Exchange over SSL (you must get your CA cert onto those for it to work).

Once upon a time I used OpenSSL to make better authentication certs than Windows would (coz of the US crypto-export regs), but nowadays I'd stick with Cert Services for most Windows scenarios.

[edie209]

Thanks for the replies

[sahmeepee]

For example. Try going to our VLE.

https://vle.carrhill.lancs.sch.uk

You will notice (if you examine it) that the certificate is issued by CLEO (our RBC) not me/my school.

Yep, they're too cheap to buy one from a certificate authority, so they've just issued a wildcard one themselves. I'm hoping our LEA will buy a proper wildcard one for ourtown.sch.uk - I wouldn't object to stumping up part of the cost.