When to use a self-signed certificate with Exchange Server 2007

Microsoft provides a self-signed certificate for use with Exchange Server 2007 that allows organizations to secure communications out of the box. But should you use a self-signed certificate?

If an organization hasn't used SSL encryption and doesn't intend to deploy SSL encryption due to the cost or complexity, then I recommend using self-signed certificates. This will allow the organization to achieve a higher level of security than before -- without any additional expenses or extra work.

If you're using SSL encryption, it's acceptable to use a self-signed certificate on internal back-end servers. However, I recommend using standard commercial X.509 certificates for all other back-end servers. This is because Outlook and OWA clients who attempt to access mailboxes from outside the network receive a warning message stating that the certificates are invalid. Additionally, Windows Mobile users cannot receive mail on their mobile devices if the connection is encrypted with a self-signed certificate.

Although Microsoft allows you to create your own enterprise Certificate Authority (CA), non-domain members won't trust you or the enterprise CA. Therefore, I recommend using a commercial certificate. You'll have to download the required certificate chain to enable these machines to trust your enterprise CA.

But the average user doesn't know how to do this. And even if he did, he probably wouldn't have the rights to install a certificate on a public Internet kiosk in order to access OWA. Using a well-known, commercial certificate guarantees that the certificate will be accepted.

This is also an important consideration for mobile users. It's possible to deploy an internal certificate chain to a ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Exchange Security Tips How to install Forefront Security for Exchange Server Is full email encryption the solution to Exchange security? Lock down direct file access and protect OWA users Controlling spam in Exchange 2007 at the edge transport server level Obtaining and verifying SSL certificates in Exchange Server How file-level antivirus software can harm your Exchange Server Understanding Exchange Server 2007 SP1 mobile security settings Which ActiveSync authentication method is best for your mobile device? Why you should secure Exchange 2007 using administrative policies Microsoft Exchange Server security dos and don'ts Email Encryption Is full email encryption the solution to Exchange security? Enabling encryption with digital certificates on BlackBerry devices How to protect an Exchange journaling mailbox from email spoofing Using Exchange Server journaling as an email-archiving solution Deploying ISA Server as a firewall for Exchange Server mobile devices How to set up an SSL certificate to encrypt OWA and ActiveSync traffic SecureZip improves encryption for Microsoft Outlook A Microsoft Outlook email security tutorial -- 8 tips in 8 minutes Zip and encrypt Microsoft Outlook email attachments Microsoft Outlook email encryption simplified Microsoft Exchange Server 2007 How to install Forefront Security for Exchange Server Displaying Exchange 2007 public folders in SharePoint Don'ts for optimal Exchange 2007 mailbox server efficiency Is your Exchange 2007 hub transport server healthy? Top 5 Exchange ActiveSync tips Two useful tools for documenting an Exchange Server installation Controlling spam in Exchange 2007 at the edge transport server level Restore Exchange storage groups with DPM 2007 How a hosted Exchange service can help you Email issues after configuring hosted Exchange server on laptop Microsoft Exchange Server 2007 Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Windows Mobile device, but doing so on a large scale can be labor intensive. Problems can also occur if users attempt to access their mailboxes on mobile devices running legacy or non-Windows operating systems.

Select the best commercial certificate

If you decide to use a commercial certificate, you must determine which type is best. Keep in mind that not all X.509 certificates are created equal. The rule was to use one certificate for each host name, but using this technique with Exchange 2007 can be expensive. You may have separate host names OWA, the Autodiscover Service and your mail gateway.

One solution is to use a wildcard certificate, which is typically valid for an entire domain as well as subdomains.

Reminder: Windows Mobile devices prior to Windows Mobile 6 do not support the use of wildcard certificates.

Another option is to use Subject Alternative Name certificates, which allow you to specify a host name and include a list of alternate host names. However, these certificates can be more expensive than a standard X.509 certificate and more complicated to deploy. Additionally, older security software such as ISA 2004 doesn't support the use of Subject Alternative Name certificates.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.