Certificates and Exchange, Part 1

I'm generally a big believer in the power of a free market. In most market segments, competition between sellers makes things better for the buyer. In the computing industry, look no further than the x86-based hardware that you're probably using to read this email newsletter.

One area in which competition has only recently made its mark is the market for Secure Sockets Layer (SSL) certificates. If you want an SSL certificate, you have basically two choices: You can create your own or you can buy one from a third-party certificate authority (CA). For many applications, a self-issued, self-signed certificate will do fine. For example, many companies use self-signed certificates for signing Microsoft Office macros and protecting intranet Web servers. The potential security risk of clients accessing your Internet-facing services will determine whether you should use self-signed certificates or certificates purchased from an external CA such as Comodo, GoDaddy.com, or VeriSign. The cost of these certificates varies quite a bit; for example, Comodo sells a 128-bit server certificate for $139 per year, whereas a similar certificate from GoDaddy.com costs about $20 per year. The strength of the certificate, its renewal period, and the reputation of the certificate issuer all influence the final price.

Exchange uses certificates in several ways. The most common use, of course, is to protect access to Microsoft Outlook Web Access (OWA). Exchange Server 2003 and earlier releases don't require you to use SSL with OWA, but if you don't use it you're needlessly exposing yourself to the possibility of an attacker stealing credentials to your network. (When you turn on form-based authentication for Exchange 2003, however, SSL is required or the authentication won't work.) You can also use certificates to apply SSL protection for POP, IMAP, and Exchange ActiveSync.

Requesting and installing certificates is fairly straightforward, although it might require more knowledge of the Internet Services Manager for Microsoft IIS than you might voluntarily gain on your own. After you install a certificate and enable it for the Exchange services you want to protect, you're done.

Exchange Server 2007 changes the game significantly because it automatically generates and installs its own set of self-signed certificates. This is a great boon for novice administrators (or lazy ones) because it means that Exchange 2007 OWA is automatically protected from the minute you install the Client Access server role. However, the addition of this new feature introduces several additional wrinkles that you need to know about; I'll cover those in next week's column.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.