SSL Certificate Provider

jbaellojbaello Member Posts: 1,191 ■■■□□□□□□□
Any idea where can I get the best deal for a SSL Certificate, that will server certs for my mail servers?

Comments

  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    This should help you out:

    http://www.whichssl.com/comparisons/

    Looks like it's probably Go Daddy Standard SSL @ $16/yr
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Well for starters, what mail server? Exchange I assume? What version?

    Any external access? If not, internal CA.

    If yes, will you be using Active Sync? If yes, go with someone other than Verisign. Verisign started to sign their certs with an intermediate certificate last year and it's not in the Windows Mobile Certificate Store. Internet Explorer has the capability to auto-fetch the intermediate certificate if it trusts the root, but FireFox and Active Sync do not support this. It's called certificate chaining.

    Godaddy is cheap and should work. I would double check that the Godaddy chain is in the Mobile device you're using.

    I always try to go with Entrust when possible.

    Digicert is another good option but I haven't worked with them.

    Digicert and Entrust are more expensive than Godaddy.

    If you're doing Exchange 2007 and want autodiscover, you'll probably want to go with Entrust or Digicert. Godaddy should work fine but I'd really try to get Entrust as I know Entrust's certificates are on pretty much all mobile devices.

    Do you plan on deploying OCS in the future? Godaddy certs are not supported for Public IM Connectivity. If you do plan on going with OCS, I would start an account with Entrust and start using them. I'd still go with Entrust either way.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • jbaellojbaello Member Posts: 1,191 ■■■□□□□□□□
    royal wrote:
    Well for starters, what mail server? Exchange I assume? What version?

    Any external access? If not, internal CA.

    If yes, will you be using Active Sync? If yes, go with someone other than Verisign. Verisign started to sign their certs with an intermediate certificate last year and it's not in the Windows Mobile Certificate Store. Internet Explorer has the capability to auto-fetch the intermediate certificate if it trusts the root, but FireFox and Active Sync do not support this. It's called certificate chaining.

    Godaddy is cheap and should work. I would double check that the Godaddy chain is in the Mobile device you're using.

    I always try to go with Entrust when possible.

    Digicert is another good option but I haven't worked with them.

    Digicert and Entrust are more expensive than Godaddy.

    If you're doing Exchange 2007 and want autodiscover, you'll probably want to go with Entrust or Digicert. Godaddy should work fine but I'd really try to get Entrust as I know Entrust's certificates are on pretty much all mobile devices.

    Do you plan on deploying OCS in the future? Godaddy certs are not supported for Public IM Connectivity. If you do plan on going with OCS, I would start an account with Entrust and start using them. I'd still go with Entrust either way.

    Lol this is a very informative post, eventually I would like to get my feet wet with Office Communicator, I'm also planning to obtain MCITP: Enterprise Exchange Administrator, so any SSL provider with more options would be suitable for me.

    No Internal CA, I will using Active Sync (for lab purposes), Mobile Devices will be big for me, since I will be hosting an Exchange Server soon. I will definitely configure Autodiscover on Exchange 2007.

    Thanks for the feedback, I will check entrust.

    Have you guys actually tried running your own CA, is it a tedious process to run your own?
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    If you're doing anything mobile, do not use an Internal CA for external access.

    Definitely go with Entrust since you'll be doing Autodiscover and mobile devices. Digicert should work as well, but I've had good luck with Entrust and they have become really popular lately.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    royal wrote:
    Well for starters, what mail server? Exchange I assume? What version?

    If yes, will you be using Active Sync? If yes, go with someone other than Verisign. Verisign started to sign their certs with an intermediate certificate last year and it's not in the Windows Mobile Certificate Store. Internet Explorer has the capability to auto-fetch the intermediate certificate if it trusts the root, but FireFox and Active Sync do not support this. It's called certificate chaining.

    We got ActiveSync to work with the Verisign cert but it was a pain in the butt. I think we had to add the intermediate cert to the trusted root store on the phone, and then delete an expired cert from the local computer store on the Exchange server for that intermediate CA.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    blargoe wrote:
    royal wrote:
    Well for starters, what mail server? Exchange I assume? What version?

    If yes, will you be using Active Sync? If yes, go with someone other than Verisign. Verisign started to sign their certs with an intermediate certificate last year and it's not in the Windows Mobile Certificate Store. Internet Explorer has the capability to auto-fetch the intermediate certificate if it trusts the root, but FireFox and Active Sync do not support this. It's called certificate chaining.

    We got ActiveSync to work with the Verisign cert but it was a pain in the butt. I think we had to add the intermediate cert to the trusted root store on the phone, and then delete an expired cert from the local computer store on the Exchange server for that intermediate CA.

    Yep, that's what I had to do as well when a client of mine used Verisign. Why bother with that, especially when you have a bunch of mobile clients. Not to mention Verisign is expensive due to their reputation.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • jbaellojbaello Member Posts: 1,191 ■■■□□□□□□□
    Any idea how much it will cost with Entrust? I just want to get one for study purposes, and ofcourse me hosting a live Exchange Server is just around the corner.

    I looked at their website, and it looks like they got so much options etc. a link of what you personally have that will suffice with my needs will be awesome.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    You'd want their Unified Communications Certificate for $600 if you want to support the Autodiscover Service using the Microsoft Recommended method of assigning the autodiscover.domain.com name as a SAN name.

    http://www.entrust.net/ssl-certificates/unified-communications.htm
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • jbaellojbaello Member Posts: 1,191 ■■■□□□□□□□
    What Windows Mobile Device do you guys recommend? Do you use one Royal?

    Just want to configure CAS on this...
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    If you're just wanting to test WM functionality against your exchange before you buy Microsoft has emulators for their devices. You have to download the device emulator, the Windows Mobile Images, and the driver (which I think now is included in MS Virtual PC).

    http://www.microsoft.com/downloads/details.aspx?familyid=A6F6ADAF-12E3-4B2F-A394-356E2C2FB114&displaylang=en
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • CorySCoryS Member Posts: 208
    I just used digicert and it worked great for everything but activesync features for the mobiles device as its not a trusted root cert by default. Their service was actually quite amazing to be honest and it was issued very quickly. I like the unlimited server license feature and the ability to cheaply add additional names to the cert when I see fit is super hand if I want to setup ssl for other things above and beyond exchange.

    I looked at Entrust, and like the features but price wise Digicert was cheaper.

    Just my .02
    MCSE tests left: 294, 297 |
  • jbaellojbaello Member Posts: 1,191 ■■■□□□□□□□
    I'm trying to see if I can modify files that I browse via OWA 2007, I went ahead and modified Share/ACL permission for an AD account mailbox enabled, that is logged in via OWA, I am actually able to open documents with it's corresponding program, but when I save it and reopen it, the modification I made is not saved.

    I checked the book and did not found anything that would suggest it.

    Also is there a Halo 3 theme for OWA? icon_cool.gificon_cool.gificon_cool.gif
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    There is an Xbox 360 theme in SP1 but I don't think they've yet to do the often promised Halo theme, I assume they didn't get the okay.

    http://blogs.technet.com/kclemson/archive/2007/08/14/new-owa-themes-in-sp1-zune-xbox.aspx
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    jbaello wrote:
    I'm trying to see if I can modify files that I browse via OWA 2007

    Are you talking about with the feature where it can pass through to a file server to access files? I haven't used that yet, but I believe I read that the access for that is always read-only.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    I just had the displeasure of trying to get a certificate from Thawte for Exchange 2007 for simple OWA access. Forget it. Awful experience! It's claiming my state and locality aren't in the CSR even though they are (two other CA's validate that), can't get anyone to email me back, it's just awful...
    Good luck to all!
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    I will say for Verisign, I've never had the customer service issues like that.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • jbaellojbaello Member Posts: 1,191 ■■■□□□□□□□
    blargoe wrote:
    jbaello wrote:
    I'm trying to see if I can modify files that I browse via OWA 2007

    Are you talking about with the feature where it can pass through to a file server to access files? I haven't used that yet, but I believe I read that the access for that is always read-only.

    On OWA your able to access folders that are shared, via UNC path via Documents. I'm trying to figure out if there is anyway to be able to modify this file and save it, it looks like it's read only.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    +1 for Entrust. +10000 for a UCC aka SAN cert.
    Good luck to all!
Sign In or Register to comment.