Windows Server 2008 R2 Thread, exchange 2007 certificates in Technical; Time has come for us to purchase a certificate for the owa services on our exchange 2007 machine.
Which certificate ...
3rd December 2010, 09:38 AM #1
exchange 2007 certificates
Time has come for us to purchase a certificate for the owa services on our exchange 2007 machine.
Which certificate do I need ? and can anyone recommend a supplier ? - not 123-reg as they are being annoying.
I was thinking of a free single domain cert from startssl and using this guide Exchange - Exchange 2007 Single Name SSL Certificate | Amset.info - but would rather have as little hassle as possible.
3rd December 2010, 10:47 AM #2
3rd December 2010, 10:50 AM #3
cheers, but we don't have an .edu domain, trying to find cheapest ucc cert now
3rd December 2010, 11:18 AM #4
Neither do we ours is .org.uk
Originally Posted by caffrey
3rd December 2010, 11:36 AM #5
ah ok, so it works as long as its an educational establishment, just the .edu threw me - thanks!
3rd December 2010, 12:20 PM #6
are these free ones ucc ?
3rd December 2010, 12:37 PM #7
If you've got an AD then why not set up your own CA and issue from there - saves a whole lot of problems, especially if (like me) you keep issuing the certificate for the wrong domain name/purpose - quite trickey with Exch 2010 & I presume 2007 is the same.
3rd December 2010, 12:48 PM #8
But then this causes problems with OWA as it's not a trusted certificate.
You might want to have a look here ...
How to create a certificate request for an Exchange 2007 UCC
3rd December 2010, 01:13 PM #9
I did / had no issues with own CA, however with all this snow, suddenly everyones using owa - and people want it fixing now even tho i've explained how to click past the cert error.
I did use digicert to create the CSR and i'm currently waiting on ipsca now. Bit concerned as to wether its a ucc tho ?
this seems a good straightforward document for certs Sembee | Exchange 2007 and SSL Certificates - Take 2
3rd December 2010, 01:47 PM #10
On Domain computers you can use a GPO to install the CA certificate (i.e. your own CA) in their Trusted store, then all issued certifcates will automatically be trusted. For non-domain computers, if you're in a school I don't see why you can't tell your users either to ignore the OWA certificate's 'not-trusted' pop-up or else to add the cert to their trusted store manually. Works nicely for us. (edit: ah, just read your last post - maybe your users are too thick for this!)
Originally Posted by stevenewman
3rd December 2010, 01:55 PM #11
they see big warning signs and run away - not a bad attitude i admit, but they should read and see what it says first.
well got the certificate from ipsca now time to break things i guess ;p
3rd December 2010, 02:47 PM #12
well installed, and with a bit of messing got it to work (cert errors in outlook internally but was easy enough to fix), thanks for the link
cert doesnt seem to be trusted in firefox tho ?
3rd December 2010, 10:09 PM #13
I know you shouldn't knock a free.. but IPSCA was a bit of a pain for OWA last time I went near one. You need to make sure you have reasonably current MS cert updates on Windows OS's which isn't very predictable for home PCs, you also need to install and serve up the intermediate certs on the Exchange server etc. May well be fixable because I spent very little time on it, but I gave up on trying to figure out how to make Firefox happy.
All-in-all it wasn't obvious that this was easier than using your own CA, and then giving your users the CA cer file to install on any non-domain machines. OWA is not a general public web service after all, the user's are your own and can be told that if they want the warnings gone strongly enough then all they need to do is...
4th December 2010, 08:51 AM #14
I've since done a bit of reading about IPSCA and it seems they are only really supported by Microsoft.
I've tried our owa in osx, linux and windows (xp and 7) and found it only works on windows with chrome or IE (7,8,9) (not firefox) so not that much better than a self cert
shame really might have to consider getting a multi domain from godaddy or similar, that or plead ignorance and say our IT dept. only supports windows and microsoft browsers ;p
BTW I tried using 123-reg but their support is terrible, I just couldn't get the CSRs to work on their site and the delay in responding to questions was horrendous!
5th December 2010, 09:57 AM #15
We use ipSCA for our certificates and all work well with our Exchange OWA, VLE and for remote access.
The only browser complaining at the moment about them is Firefox, why its taken so long I don't know. I did look on the bug/request list for Firefox and apparently the developers have asked for more info from ipSCA but have not recieved it for some reason. I've already had one parent querying the certificate while their child accessed our VLE but I wrote a short e-mail explaining the situation.
Saves a bit of money for the school, I know certs are cheaper these days but a saving is a saving.
As mentioned you don't need a .edu domain, I got ours for our .sch.uk domain but the education certificates are manually checked (takes a bit longer) but work fine.
By sacrej in forum Windows Server 2008 R2
Last Post: 13th October 2010, 09:26 AM
By irsprint84 in forum Windows Server 2008
Last Post: 7th September 2010, 09:10 AM
By imiddleton25 in forum Windows
Last Post: 10th November 2009, 10:13 AM
By jdibsdale in forum Windows
Last Post: 29th May 2009, 06:40 PM
By timbo343 in forum Windows
Last Post: 12th September 2008, 09:34 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)