[ExchangeList] Re: SSL Cert Exch 03

  • From: Simon Butler <simon@xxxxxxxxxxxx>
  • To: "exchangelist@xxxxxxxxxxxxx" <exchangelist@xxxxxxxxxxxxx>
  • Date: Sun, 18 Apr 2010 14:40:40 +0100

Unless you have control over every device access the SSL site, then a self-signed certificate isn’t really an option. If you allow users to access OWA from their own machines, at home for example, then you need to use a commercial signed certificate. Asking users to ignore certificate prompts is bad security practise, particularly with the amount of phishing attempts that there are on the internet. The last thing you want to do is get users conditioned to ignoring security warnings.


Your replacement SSL certificate can come from any provider and can use any host name that you like. However if your user community is using mail.example.com then you should really stick with that name, unless you purchase a unified communications certificate which allows you to have multiple names.

Wildcard certificates are not always a suitable option, due to some compatibility issues, particularly if you are using RPC over HTTPS on Exchange 2003 with Outlook 2003.


There are a wide range of SSL providers. You do not have to use Verisign, unless you have deep pockets and want to waste money. For simple OWA protection I tend to use GoDaddy certificates, as they are widely trusted. http://certificatesforexchange.com/ . They are also cheap and do the job just as well as Verisign.






Simon Butler
MVP: Exchange, MCSE
Sembee Ltd.

e: simon@xxxxxxxxxxxx
w: http://www.sembee.co.uk/
w: http://www.amset.info/

w: http://blog.sembee.co.uk/

Need cheap certificates for Exchange, compatible with Windows Mobile 5.0?
http://CertificatesForExchange.com/ for certificates from just $23.99.
Need a domain for your certificate? http://DomainsForExchange.net/


Exchange Resources: http://exbpa.com/




From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Asus77x
Sent: 18 April 2010 07:18
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] SSL Cert Exch 03


Dear All,


I have SSL cert handled by third party and now expired. I’m not able to contact this 3rd party for renewal. My plan is go get new SLL cert or use self signed. Should I recreate for public hostname for SSL host? Can it use other domain name? Is there any consideration for self signed?





Other related posts: