• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How do you trust a self-signed owa 2010 certificate

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2010] >> Installation >> How do you trust a self-signed owa 2010 certificate Page: [1]
Login
Message << Older Topic   Newer Topic >>
How do you trust a self-signed owa 2010 certificate - 28.Jan.2011 7:58:59 AM   
pe5mith

 

Posts: 21
Joined: 25.Jan.2011
Status: offline
Exchange 2010 has set up a self-signed certificate for OWA. How do you get all computers in the same 2003 Domain to trust that certificate without visiting every computer?
Post #: 1
RE: How do you trust a self-signed owa 2010 certificate - 28.Jan.2011 9:28:30 AM   
de.blackman

 

Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
EASY! You don't! You should purchase a new trusted certificate from a certificate provider (I usually recommend Entrust as it is highly trusted by most browsers and mobile devices) and make sure it is a UC certificate with all the subject alternative names (OWA url, autodiscover url and internal CAS server names) on it.

_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to pe5mith)
Post #: 2
RE: How do you trust a self-signed owa 2010 certificate - 28.Jan.2011 9:35:53 AM   
pe5mith

 

Posts: 21
Joined: 25.Jan.2011
Status: offline
Is there no way I can tell my network to trust my own server without giving money to third parties?

I know buying Cert is best but I'm now on a budget embargo!!

(in reply to de.blackman)
Post #: 3
RE: How do you trust a self-signed owa 2010 certificate - 28.Jan.2011 4:44:06 PM   
de.blackman

 

Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
Well you can deploy a certificate authority into your domain and then create a certificate from it but you would have to manually make modifications to the certificate templates so it can issue the proper UC certificates (by default certificate authorities or CAs only can issue web server certificates that can have a single common name). Once you install a CA into your domain, ALL your domain-joined machines will automatically trust it as the root however if you have users who will connect from machines that are NOT part of the domain (such as machines in their homes), they will always get the certificate prompt. It is definitely cheaper in terms of money but you have to consider your administrative costs on top of that. You are basically going to deploy a new service into your network. In the long run, I always recommend a public certificate because then you dont have to worry about managing it.

Good luck!

_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to pe5mith)
Post #: 4
RE: How do you trust a self-signed owa 2010 certificate - 31.Jan.2011 3:16:50 AM   
pe5mith

 

Posts: 21
Joined: 25.Jan.2011
Status: offline
Many thanks for that reply. I think I'll invest.

All I have to do now is try to solve my other problem with the odd attachment senario.

(in reply to de.blackman)
Post #: 5
RE: How do you trust a self-signed owa 2010 certificate - 31.Jan.2011 9:05:25 AM   
de.blackman

 

Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
I think you are making a wise choice in investing on a publicly trusted certificate. You will have little to no headaches related to certificates now.

If you have other issues, please post them in the different sections of the forum that correspond to the issue.

_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to pe5mith)
Post #: 6
RE: How do you trust a self-signed owa 2010 certificate - 31.Jan.2011 10:02:27 AM   
pe5mith

 

Posts: 21
Joined: 25.Jan.2011
Status: offline
Thanks - I did but no one has had any ideas yet

http://forums.msexchange.org/Mixed_environment_attachment_missing/m_1800544168/tm.htm

(in reply to de.blackman)
Post #: 7
RE: How do you trust a self-signed owa 2010 certificate - 15.Feb.2011 6:32:52 PM   
caddyshack

 

Posts: 12
Joined: 26.Apr.2010
Status: offline
You don't need a SAN or UC certs to run exchange. You can get three SSL certs from your own CA with the common names: owa.company.com, autodiscover.comapny.com and servername.company.com. Distribute your CA's root certificate to all windows clients with a GPO. With this approach, there are few things you need to do under the hood. Separate the autodiscover web service to another website. Now some mobile phones may not accept the self signed certs. I think the Outlook Over the internet may also have problem with the certs.

(in reply to pe5mith)
Post #: 8
RE: How do you trust a self-signed owa 2010 certificate - 15.Feb.2011 7:35:02 PM   
de.blackman

 

Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
Caddyshack,

I like your enthutiasm but why would you go through all that when you can simply use the recommended method by Microsoft to purchase a UC certificate. Microsoft's recommendations are made for a reason! In addition, your method would require the installation of an internal CA. Some organizations do not allow the creation of such services due to security and policy reason. Even if they did, users who connect from outside the domain would have an issue because home machines are not domain members so getting the root CA installed on them would be practically impossible.

SO to clarify, your statement that says using a UC certificate is the easiest and recommended method for deploying Exchange.

_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to caddyshack)
Post #: 9
RE: How do you trust a self-signed owa 2010 certificate - 16.Feb.2011 6:21:07 PM   
caddyshack

 

Posts: 12
Joined: 26.Apr.2010
Status: offline
de.blackman,

I agree with you 110% on the exchange 2010 best practices. I thought the OP couldn't afford the UC cert due to budget constrains. That's why I suggested an alternative route.

When I migrated my exchange 2003 environment to 2007 three years ago, UC/SAN certs were a new concept to most admins and some public CAs weren't even issuing them. IIRC, exchange itself had few problems dealing with the certs. I know now UC/SAN certs are cheaper to get and implement.

So, I agree we all need to follow the best practice guidelines but I like the control I have on the exchange/IIS servers with my three certs approach (signed by a public CA). I am hoping MS didn't make the UC/SAN certs mandatory in exchange 2010.

(in reply to de.blackman)
Post #: 10
RE: How do you trust a self-signed owa 2010 certificate - 17.Feb.2011 8:12:18 AM   
de.blackman

 

Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
Glad we are on the same page then and no Microsoft has NOT made it compulsory to use a UC\SAN certificate.

_____________________________

Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna

(in reply to caddyshack)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2010] >> Installation >> How do you trust a self-signed owa 2010 certificate Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter