Thursday, May 25, 2006

Cheap SSL certs or running with the big dogs?

Okay, I'm cheap, I admit it. I always search for the lowest airfares, buy my gas at Costco (about $55 per week a this point!), use Froogle like crazy, turn the ketchup bottle upside down to get as much out as possible, and I buy SSL certs from or when setting up OWA server.

I recently saw a downside to this. Usually, there is no "liability" issues associated with setting up an OWA server. At least, not liability like there is setting up an e-commerce site. So, the big dog's SSL certs such as VeriSign or Thawte (which come with a certain amount of liability protection), are not necessary.

Several of my customers that have just migrated to Exchange 2003 used for the SSL certs. Now, they want Windows Mobile and ActiveSync support. The problem is that the root CA that GoDaddy uses is NOT trusted by the Windows Mobile devices. When you try to configure ActiveSync, you get errors like INTERNET_45 or INTERNET_55 on the mobile device. (I just blogged this a few months ago).

So, you have to install your root CA's certificates on the mobile device. Interested? Here is more information:

So, the other thing I have to admit is, that I'm lazy. If I really don't want to have 100 Windows Mobile users bring their devices in to IT so that I can install my cheapie CA's cert on each device.

The Moral of the Story?
I'm getting there! So, the moral of the story is, when you get ready to purchase OWA certs, ask yourself if you are going to be supporting Windows Mobile devices. If so, is it still going to be cheaper to purchase the cheaper than manually installing a bunch of certs. Irate and / or inconvenienced users and IT resources do have a cost.


At 3:00 AM, Blogger Todd said...

While ActiveSync won't let the user get around the "untrusted" certificate, PIE will.

So, I wrap my SSL certificate chain in a CAB file and place it on my front-end server. The user merely visits and picks the CAB.

A prompt to run the CAB and off they go.

At 12:24 AM, Blogger lordoftheping said...

from Microsoft:

Godaddy is in, with the MSFP you shoudn't have to install the CA.
Are you using the MSFP ?

At 3:23 AM, Blogger philphil said...

I hope this isn't a really silly question but how do you wrap a certificate in a cab file?

At 3:23 AM, Blogger oliver said...

First of all Jim I love reading your blogs, and this one particularly struck resonance with me and our site! GoDaddy is probably universally the best free SSL authority, but our research has found that our customers and clients don't respond to this, so the only alternative are to find viable Low Cost SSL Certificates and with resellers like who offer certificates of at least 10% below the rrp this is a good option. But even I would not pay some of the fees VeriSign commands who are charge particularly high prices.


Post a Comment

<< Home