Sunday, April 01, 2007

GoDaddy, Subject Alternate Name certificates, and Exchange 2007

Exchange 2007 automatically creates "self signed" SSL certificates for CAS and Hub Transport servers. However, if you want to use SSL for OWA/ActiveSync/Autodiscover/Availability, etc... or if you want to do TLS/SSL for SMTP, then you need a publicly trusted certificate. However, this introduces a problem. Internal clients try to use the server name or the internal FQDN and will generate errors if the certificate on the internal HTTP virtual server is issued for an external URL.

The answer is to either create both internal and external virtual directories and use separate SSL certificates for each. This is a bit of a pain in the neck, though.

The Exchange 2007 EMS cmdlet new-ExchangeCertificate can create a certificate request that includes multiple additional server names or FQDNs. These additional FQDNs go in to the Subject Alternate Name field of the certificate.

Not all public certificate authorities will support these. However, GoDaddy has come out with a new certificate called a 6-in-1 certificate for $62.99 per year. This is a great deal and one I will probably be recommending to all of my customers.


At 8:44 AM, Blogger Chris Buechler said...

Careful where you use the GoDaddy certs. I use them myself on my personal site, and for numerous OWA installations for clients. But I've found they don't work well for OMA deployments because Windows Mobile, at least with the most recent updates as of about a year ago, did not trust GoDaddy certificates. And the devices won't sync unless they trust the CA issuing the certificate. Rather than having to mess with installing GoDaddy's root certificate on every Windows Mobile device we were deploying, I bought a certificate from Thawte. It was about 8 times as much money (~$20 vs. $160 for a simple SSL cert), but saved us a bunch of money in the end since we didn't have to mess with installing certificates on all the mobile devices.

Also if you're using them for e-commerce sites, or things of that nature that are very public where you want to be 100% assured that every user will not have issues with the certificate, you probably want to stay away from GoDaddy and go to one of the older CA's like Thawte. Safari still doesn't recognize GoDaddy certs, and IE won't if people don't install the certificate updates from Windows Update, which are found in the "optional" updates section so many users don't install them. There are likely a decent percentage of IE installations in the general population that don't list GoDaddy as a trusted CA.

At 3:43 PM, Blogger cannedsoda said...

I was about to ask the question about Windows Mobile. We went with an Entrust cert that allows two names. Pretty expensive comparitively.

At 4:55 PM, Blogger Jim McBee said...

Windows Mobile 5 with the MSFP and later supports certificates issued by GoDaddy. If you have earlier devices, you will need to install the certs on the device. I blogged about this several times last year.

At 12:09 PM, Blogger Paul said...

I was under the impression that GoDaddy's 6-in-1 only allowed variations of your domain's ending (the tld), such as,, and that they don't offer jim.local, or such combinations as:


I'm interested to know if you were able to purchase a certificate with differing domains and/or subdomains and not just variations of the tld.

At 2:56 AM, Blogger Seth said...

I had the same experience as Paul in not being able to get a certificate that was actually usable for multiple domain names that we wanted to put on our CAS box.

We're looking at other options now for this service, which sucks, because the others are all much more expensive. Though I suppose that functional trumps cheap.

At 4:17 PM, Blogger Tom Eppenberger said...

I have not been able to make the GoDaddy 6 in 1 certs work with Exchange 2007. It will only add top level domains to the subject alternative name field of the cert, not .local or any sub domains.

At 2:31 AM, Blogger Pete said...

Guys, Microsoft has released a patch for Outlook 2007 that fixes this problem. What happens is this: Outlook Autodiscover automatically searches for, if it can't find that DNS record it fails and returns OAB errors everytime you hit send/receive. With the patch applied, Outlook searches for if it can't find that, it searches for an SRV record, you can setup an SRV record in your DNS that would point to OWA address hence being able to use a single SSL cert and not have to worry about subject alternative names. I have chosen to go this route, deploy the outlook 2007 patch to my users and add an SRV record to our external and internal DNS servers.

At 6:26 AM, Blogger Chris said...

Slightly off topic, you wouldn't happen to have any advice on resolving an error I am getting on a GoDaddy Dedicated box. The error occurs at the end of the active directory wizard when it attempts to install.

Operation Failed due to the following error:
A general network error occurred.

Thats it... I have tried everything. The only thing I cannot change is the domain suffix, which is set to GoDaddy's Is that why? Do I have to do anything special?

I would greatly appreciate any help.


At 7:21 AM, Blogger jknightly said...

This is not the UCC cert on godaddy's site right? I can't seem to find where to buy the SAN /6 in 1 cert. Anyone got a direct link?

At 12:42 AM, Blogger Jamie said...

Jim, this is exactly the same logic I have come up with regarding Subject Alt Name SSL certificates when tackled with a similarly orientated problem. Originally I tirelessly created seperate internal and external directories, so I'm more than happy to see you've reinforced this alternative!

At 5:58 PM, Blogger Shareef Mohmmad said...

All the contents you mentioned in post is too good and very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts. cheap wildcard ssl

At 9:39 PM, Blogger mogali said...

Cheap Wildcard SSL - Cheap SSL certificates (including wildcard and multi-domain (SAN) SSL certificates) from Comodo, GeoTrust, Thawte and Symantec (VeriSign)


Post a Comment

<< Home