SBS2011 certificate

Ish · 10 Aug 2012 at 23:55

Hi

Our security certificate on our SBS2011 server is due to expire.Who do you suggest to buy a new certificate from?

Is this one suitable to stop certificate warnings with Exchange 2010? https://www.rapidsslonline.com/rapidsslwildcard-certificates.aspx

bremen1874 · 11 Aug 2012 at 03:49

I've used GoDaddy for the last few I've done. For SBS2011 you should only require a single domain certificate (usually just remote.*). If you search for it I think you can have the first year for under £10.

#Chri5# · 11 Aug 2012 at 08:39

+1 for GoDaddy. Normally we put them in for two years. However, with one year being £8.50 and two years being about £40/year...

If you Google for something like "GoDaddy SSL Promo", one of the sponsered links is GoDaddy and takes you to the page offering them for £8.50

HungryHippos · 11 Aug 2012 at 09:12

We use DigiCert, whom I would recommend if you can afford them.

For Exchange 2010 you really want a UCC cert so you can have a single cert that allows you to have multiple domain names, if people are going to be accessing OWA/Outlook from external then you would ideally need to add names for:

autodiscover.domain.com
owa.domain.com (replace with your own owa address)
exchangeserver.local (for your exchange server).

bremen1874 · 11 Aug 2012 at 13:37

SBS 2011 doesn't use a standard Exchange configuration and only expects a single domain SSL certificate. Autodiscovery is configured using a DNS SRV record.

HungryHippos · 11 Aug 2012 at 14:33

Then yes any old SSL cert should do fine.

We've used Rapid SSL in the past and no problems with them, cheap and cheerful

Ish · 11 Aug 2012 at 16:32

Eulogy said:
We use DigiCert, whom I would recommend if you can afford them.

For Exchange 2010 you really want a UCC cert so you can have a single cert that allows you to have multiple domain names, if people are going to be accessing OWA/Outlook from external then you would ideally need to add names for:

autodiscover.domain.com
owa.domain.com (replace with your own owa address)
exchangeserver.local (for your exchange server).

We were having problems with multiple security warnings for the addresses you mention above and more eg. remote.xxxxx.org so our IT support company purchased a Digicert certificate for us but it £358.

I see the Go Daddy do multiple domain UCC certificates for a a lot less than Digicert.

HungryHippos · 11 Aug 2012 at 17:29

Yeah I think you have to have like 5 names minimum on a UCC cert, and you pay a fee per name as well. Can't comment on Go Daddy UCC certs not used them, of course you can try any you want but assuming you've already paid for your Digicert UCC cert you should probably try and get that working first!

You said it's SBS so I can assume it's Exchange 2010 with multi-role (CAS/HT/MBX) on the same server. In that case you need to make sure that any certs you've imported are actually active and enabled in Exchange as well for the correct services.

Process normally goes like this:

1. Generate New-ExchangeCertificate request with domain names etc
2. Take the request data to a CA like DigiCert and get the certificate created.
3. Once the certifictae is ready, you can run the Import-ExchangeCertificate request.
4. You then need to enable the certificate for the relevant services, otherwise your Exchange server will continue to use the self signed one it was installed with and you will get certificate errors.

Any names you enable on the Certificate need to match those you are using to connect or you will get certificate errors.

If you get cert errors in OWA you can check the certificate by clicking the icon and confirming the details of the applied certificate match what you are expecting to see.

bremen1874 · 11 Aug 2012 at 19:00

The SSL request and import process is automated using a SBS specific wizard that does almost everything for you. There's no need to go anywhere near Exchange. Applying normal Exchange server practices to a SBS box is almost guaranteed to break it.

The wizard raises a request for a single domain certificate (default of remote.<domain>). If the wizard process is followed the only other step required should be getting an external SRV DNS record raised that redirects autodiscovery.<domain> to remote.<domain>.

Ish · 12 Aug 2012 at 02:40

Our digicert did work but it's due to expire and I don't facy paying £370 when the Go Daddy version is a lot cheaper!

NightShadow · 12 Aug 2012 at 12:21

Get one through GoDaddy, have setup severl UCC certs in the last 6 months with them with no issues. You need to confirm the internal names on the certificate, they will email an activation link for this. For the external you will just need to add a html page or a TXT record on the domain with the details they provide. Can all be done in a couple of hours if you follow up emails etc quickly.

As for SBS and the names you need, the last one I did I included autodiscover.domain, webmail.domain and server.internaldomain and setup the same was as per any recent Exchange install I have done and there are no issues with this breaking anything.

Ish · 12 Aug 2012 at 23:59

autodiscover.domain.org
webmail.domain.org
remote.domain.org
server.local

I get 5 so anything else I should add?

HungryHippos · 13 Aug 2012 at 08:10

You only need to add names you are using. No point adding anything else unless you are planning on using it.

I assume you can re-issue the certificate later if you need to with updates names, like you can with DigiCert.

oldbag · 13 Aug 2012 at 08:20

Godaddy are good.

#Chri5# · 13 Aug 2012 at 09:17

bremen1874 said:
The SSL request and import process is automated using a SBS specific wizard that does almost everything for you. There's no need to go anywhere near Exchange. Applying normal Exchange server practices to a SBS box is almost guaranteed to break it.

The wizard raises a request for a single domain certificate (default of remote.<domain>). If the wizard process is followed the only other step required should be getting an external SRV DNS record raised that redirects autodiscovery.<domain> to remote.<domain>.

+1

I'm not sure why you would pay more and spend more time putting a UCC on SBS when the SSL Wizard will do it all for you. A remote. cert from GoDaddy is under a tenner for a year - why reinvent the wheel?

Ish · 14 Aug 2012 at 17:39

Got a 3 year Godaddy certificate for £115 using a 30% discount code and it's all working fine

The discount code is cjcWD30

NightShadow · 14 Aug 2012 at 23:12

#Chri5# said:
+1

I'm not sure why you would pay more and spend more time putting a UCC on SBS when the SSL Wizard will do it all for you. A remote. cert from GoDaddy is under a tenner for a year - why reinvent the wheel?

The only issue with this is if you have clients older than Outlook 2007 connecting via Outlook Anywhere, IIRC only 2007 or newer can resolve via an SRV record, and yes, people still use 2003!

HungryHippos · 14 Aug 2012 at 23:30

It's £115 for 3 years guys, not exactly expensive haha

#Chri5# · 15 Aug 2012 at 08:03

NightShadow said:
The only issue with this is if you have clients older than Outlook 2007 connecting via Outlook Anywhere, IIRC only 2007 or newer can resolve via an SRV record, and yes, people still use 2003!

Outlook 2003 doesn't have Autodiscover though, so the lack SRV record support isn't an issue. It works fine using RPC over HTTPS.