Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
How do you trust a self-signed owa 2010 certificate
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
How do you trust a self-signed owa 2010 certificate - 28.Jan.2011 7:58:59 AM
|
|
|
pe5mith
Posts: 21
Joined: 25.Jan.2011
Status: offline
|
Exchange 2010 has set up a self-signed certificate for OWA. How do you get all computers in the same 2003 Domain to trust that certificate without visiting every computer?
|
|
|
|
|
RE: How do you trust a self-signed owa 2010 certificate - 28.Jan.2011 9:35:53 AM
|
|
|
pe5mith
Posts: 21
Joined: 25.Jan.2011
Status: offline
|
Is there no way I can tell my network to trust my own server without giving money to third parties?
I know buying Cert is best but I'm now on a budget embargo!!
|
|
|
|
|
RE: How do you trust a self-signed owa 2010 certificate - 28.Jan.2011 4:44:06 PM
|
|
|
de.blackman
Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
|
Well you can deploy a certificate authority into your domain and then create a certificate from it but you would have to manually make modifications to the certificate templates so it can issue the proper UC certificates (by default certificate authorities or CAs only can issue web server certificates that can have a single common name). Once you install a CA into your domain, ALL your domain-joined machines will automatically trust it as the root however if you have users who will connect from machines that are NOT part of the domain (such as machines in their homes), they will always get the certificate prompt. It is definitely cheaper in terms of money but you have to consider your administrative costs on top of that. You are basically going to deploy a new service into your network. In the long run, I always recommend a public certificate because then you dont have to worry about managing it.
Good luck!
_____________________________
Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna
|
|
|
|
|
RE: How do you trust a self-signed owa 2010 certificate - 31.Jan.2011 3:16:50 AM
|
|
|
pe5mith
Posts: 21
Joined: 25.Jan.2011
Status: offline
|
Many thanks for that reply. I think I'll invest.
All I have to do now is try to solve my other problem with the odd attachment senario.
|
|
|
|
|
RE: How do you trust a self-signed owa 2010 certificate - 31.Jan.2011 9:05:25 AM
|
|
|
de.blackman
Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
|
I think you are making a wise choice in investing on a publicly trusted certificate. You will have little to no headaches related to certificates now.
If you have other issues, please post them in the different sections of the forum that correspond to the issue.
_____________________________
Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna
|
|
|
|
|
RE: How do you trust a self-signed owa 2010 certificate - 15.Feb.2011 6:32:52 PM
|
|
|
caddyshack
Posts: 12
Joined: 26.Apr.2010
Status: offline
|
You don't need a SAN or UC certs to run exchange. You can get three SSL certs from your own CA with the common names: owa.company.com, autodiscover.comapny.com and servername.company.com. Distribute your CA's root certificate to all windows clients with a GPO. With this approach, there are few things you need to do under the hood. Separate the autodiscover web service to another website. Now some mobile phones may not accept the self signed certs. I think the Outlook Over the internet may also have problem with the certs.
|
|
|
|
|
RE: How do you trust a self-signed owa 2010 certificate - 15.Feb.2011 7:35:02 PM
|
|
|
de.blackman
Posts: 3542
Joined: 4.Apr.2005
From: Toronto, Canada
Status: offline
|
Caddyshack,
I like your enthutiasm but why would you go through all that when you can simply use the recommended method by Microsoft to purchase a UC certificate. Microsoft's recommendations are made for a reason! In addition, your method would require the installation of an internal CA. Some organizations do not allow the creation of such services due to security and policy reason. Even if they did, users who connect from outside the domain would have an issue because home machines are not domain members so getting the root CA installed on them would be practically impossible.
SO to clarify, your statement that says using a UC certificate is the easiest and recommended method for deploying Exchange.
_____________________________
Ibrahim Benna - Microsoft Exchange MVP
Forum Moderator
Navantis
@IbrahimBenna
|
|
|
|
|
RE: How do you trust a self-signed owa 2010 certificate - 16.Feb.2011 6:21:07 PM
|
|
|
caddyshack
Posts: 12
Joined: 26.Apr.2010
Status: offline
|
de.blackman,
I agree with you 110% on the exchange 2010 best practices. I thought the OP couldn't afford the UC cert due to budget constrains. That's why I suggested an alternative route.
When I migrated my exchange 2003 environment to 2007 three years ago, UC/SAN certs were a new concept to most admins and some public CAs weren't even issuing them. IIRC, exchange itself had few problems dealing with the certs. I know now UC/SAN certs are cheaper to get and implement.
So, I agree we all need to follow the best practice guidelines but I like the control I have on the exchange/IIS servers with my three certs approach (signed by a public CA). I am hoping MS didn't make the UC/SAN certs mandatory in exchange 2010.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
! You should purchase a new trusted certificate from a certificate provider (I usually recommend Entrust as it is highly trusted by most browsers and mobile devices) and make sure it is a UC certificate with all the subject alternative names (OWA url, autodiscover url and internal CAS server names) on it.
