Monday 2 June 2008

Wildcard Certificates - Your recommendations?

We are in a position where we want to consolidate a subdomain set for a client setup.

One of the things we want to do is drop the self-signed SBS certificate setup for a wildcard SSL certificate setup.

So far, there seems to be a wide variety of SSL certificate providers with a huge variety of upfront and sometimes hidden charges for wildcard certificates.

In our research, we have looked at GoDaddy, Comodo SSL, GeoTrust, Digicert and others.

In this case we are looking at some of the following purposes:
  • A minimum of 3-5 SBS servers will be secured via the certificate
  • The subdomain names sometimes need to be changed
  • Remote Web Workplace, OWA, Exchange RPC/HTTPS
  • SBS 2008 RDP Certificate
So far, it looks as though the Digicert service will provide the best value for the cost of the service.

Please chime in on your experiences. Who have you used for these types of services and how is their ability to service and support your certificate needs?

Any input is greatly appreciated.

Thanks for reading.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

5 comments:

Anonymous said...

I'm wondering the same thing right now.

Thanks to IE7, then Vista, now SP3, MS has nearly killed RWW for actual users.

So it's quite time for 3rd-party RWW certs. Wildcard certs are pricy everywhere, so it'll probably be one-off Godaddy certs for my folks.

Philip Elder Cluster MVP said...

Rob,

There seems to be a huge change in the way the self-signed certificates work coming in SBS 2008.

With single SSL certificates running around $50 a year or less, it seems to be reasonable to obtain one. For those situations where we have a client with a domain setup, we will be including the cost of the certificate in the quote with a note indicating that it is an annual cost along with their domain registration.

The wildcard situation is fairly unique to a few of our clients that require subdomains.

So, we shall see.

Thanks for the comment.

Philip

stryqx said...

I've used Verisign, Thawte and GeoTrust as certificate providers.

Of these three, I've been happiest with GeoTrust. Simple to acquire, good online help and backed up with good support.

GeoTrust also have an SBS-specific product. I haven't used it yet though.

Anonymous said...

To secure our internal network of sharepoint/owa/rww/activesync(different servers) we used eWay(Australia) who resell RapidSSL wildcards.

its accepted in all browsers, the drawback is the root cert needs installing on windows mobile devices.

In Outlook RPC the msstd line needs to read msstd:*.domain.com for the wildcard to work, this doesnt seem to be documented well.

Regards,
Ryan
Australia

Philip Elder Cluster MVP said...

So far I am leaning towards Comodo.

If I read their info correctly, we can generate certificates specifically for the subdomain instead of *.mydomain.com.

This whole situation is a bit of a rat's nest trying to figure out which certificate would work the best.

The big stumbling block so far is Ryan's point: Windows Mobile 5/6.

PDAs, Windows Mobile 5/6, and the new SBS 2008 are the main reasons I am looking to trusted certificates.

Thanks for the comments folks.

Philip