You must have an X.509 certificate to use SSL encryption on an Exchange 2007 server. While this may not seem like a big deal, it can deter smaller organizations from encrypting Outlook Web Access (OWA) because it can be too expensive or difficult to deploy.
Microsoft provides a self-signed certificate for use with Exchange Server 2007 that allows organizations to secure communications out of the box. But should you use a self-signed certificate?
If an organization hasn't used SSL encryption and doesn't intend to deploy SSL encryption due to the cost or complexity, then I recommend using self-signed certificates. This will allow the organization to achieve a higher level of security than before -- without any additional expenses or extra work.
If you're using SSL encryption, it's acceptable to use a self-signed certificate on internal back-end servers. However, I recommend using standard commercial X.509 certificates for all other back-end servers. This is because Outlook and OWA clients who attempt to access mailboxes from outside the network receive a warning message stating that the certificates are invalid. Additionally, Windows Mobile users cannot receive mail on their mobile devices if the connection is encrypted with a self-signed certificate.
Although Microsoft allows you to create your own enterprise Certificate Authority (CA), non-domain members won't trust you or the enterprise CA. Therefore, I recommend using a
But the average user doesn't know how to do this. And even if he did, he probably wouldn't have the rights to install a certificate on a public Internet kiosk in order to access OWA. Using a well-known, commercial certificate guarantees that the certificate will be accepted.
This is also an important consideration for mobile users. It's possible to deploy an internal certificate chain to a Windows Mobile device, but doing so on a large scale can be labor intensive. Problems can also occur if users attempt to access their mailboxes on mobile devices running legacy or non-Windows operating systems.
Select the best commercial certificate
If you decide to use a commercial certificate, you must determine which type is best. Keep in mind that not all X.509 certificates are created equal. The rule was to use one certificate for each host name, but using this technique with Exchange 2007 can be expensive. You may have separate host names OWA, the Autodiscover Service and your mail gateway.
One solution is to use a wildcard certificate, which is typically valid for an entire domain as well as subdomains.
Reminder: Windows Mobile devices prior to Windows Mobile 6 do not support the use of wildcard certificates.
Another option is to use Subject Alternative Name certificates, which allow you to specify a host name and include a list of alternate host names. However, these certificates can be more expensive than a standard X.509 certificate and more complicated to deploy. Additionally, older security software such as ISA 2004 doesn't support the use of Subject Alternative Name certificates.
About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a
helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for
This was first published in September 2009