Monday 13 October 2008

SBS 2008 - Self-Issued SSL Cert Only Good for 2 Years

Remember when Sean reminded us about the coming SBS 2003 self-issued SSL certificate expiring? SBS 2003 was released around the middle of 2003, so, around the middle of 2008 there were to be some self-issued SSL certificates expiring.

Here is what the self-issued certificate in SBS 2008 looks like via the certificate management snap-in:

SBS 2008 Self-Issued SSL is good for 2 years

The fact that the certificate is only good for two years is important.

If a client decides against a third party certificate, then the network audit notes need to reflect the expiry date of the certificate. A reminder should be set in Outlook or client management software for a month or so ahead of the expiry to speak with the client about obtaining and installing a third party certificate.

Why third party? Because the need to have every non-domain joined workstation run the little SSL install routine could get to be quite expensive over time. And, getting a Windows Mobile device to run with the self-issued certificate may turn into a nightmare depending on the provider the device is connected to.

We use Comodo for our single SSL certificates and DigiCert for our wildcard certificate needs. They may not be the least expensive, but we get to talk to real people if we get into some sort of pickle.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.


Anonymous said...

We are looking at transitioning all of our clients to public SSL certificates from the self-signed certificates. Do you resell the certificates or direct clients to purchase their own? We want to make the process as easy as possible for clients.

Anonymous said...

Hi Philip,

Comodo have a bewildering selection of SSL certificates to choose from. Which one so you usually use if you just want to secure

Philip Elder Cluster MVP said...


Agreed. :)

We use the General Security Cert for single domain use.


Philip Elder Cluster MVP said...


We did not sign on with their reseller program ... though maybe we should since we do install enough of them! :)

We handle the whole process right down to the registration and payment for our clients as part of our total infrastructure management package. Most of our clients are online with this one.

So, we usually flat fee the certificate so as to include a bit of extra.