Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Self-signed Cert about to Expire 1
- Thread starter jsonchan
- Start date
- Thread starter
- #3
I can spend time explaining how to do it, Google can help you understand how to do it, searching in this forum or the IIS forum will also explain how to do it.
Once you have got some information, you can try to implement in your system until you get it done.
Then explain to your users about continuing past a self signed certificate, getting Outlook Anywhere to work correctly, getting Windows Mobile devices working for those that will work with self signed certs or go to godaddy and spend $20 for a 2 year certificate.
Exchange MVPs are recommending this even for single user Exchange servers due to the drop in issues and increase in useability.
Once you have got some information, you can try to implement in your system until you get it done.
Then explain to your users about continuing past a self signed certificate, getting Outlook Anywhere to work correctly, getting Windows Mobile devices working for those that will work with self signed certs or go to godaddy and spend $20 for a 2 year certificate.
Exchange MVPs are recommending this even for single user Exchange servers due to the drop in issues and increase in useability.
-
1
- #5
ryanak
IS-IT--Management
- Dec 5, 2008
- 50
I ran into this issue a couple weeks ago myself.
There are two easy approaches you can take.
If the server is an SBS server you can run the Server Management console.
Select "To Do List"
and run the "Connect to Internet" wizard.
That should work, but if not there is another option.
If you are running any version of Microsoft Server 2003 and Exchange 2003; the second option is to get the IIS Resources Toolkit from Microsoft
Once installed, you will have a new menu in your start menu that says "IIS Resources" in that folder there is a folder called "ISS CertDeploy.vbs" select that folder and you will find the "IIS CertDeploy.vbs" program. this is a command line tool and does a pretty good job telling you how to deploy a new cert.
Follow the instruction that come up as soon as you load the program, and within mintues you have your new Self Signed SSL cert deployed.
There are two easy approaches you can take.
If the server is an SBS server you can run the Server Management console.
Select "To Do List"
and run the "Connect to Internet" wizard.
That should work, but if not there is another option.
If you are running any version of Microsoft Server 2003 and Exchange 2003; the second option is to get the IIS Resources Toolkit from Microsoft
Once installed, you will have a new menu in your start menu that says "IIS Resources" in that folder there is a folder called "ISS CertDeploy.vbs" select that folder and you will find the "IIS CertDeploy.vbs" program. this is a command line tool and does a pretty good job telling you how to deploy a new cert.
Follow the instruction that come up as soon as you load the program, and within mintues you have your new Self Signed SSL cert deployed.
- Thread starter
- #6
You can lead a horse to water.
Let's assume that it takes 30 minutes to renew the self signed certificate and you do that each year.
Let's further assume that you only waste in total 5 minutes per employee including time taken by support to sort out problems with Outlook clients, PDAs, mobile phones, OWA etc.
Finally let's assume that the average wage is $20 an hour and that you have 24 employees in the company (because the maths is easier).
Renew certificate: 1 hour across 2 years.
Sort out 1 Outlook issue and 0.5 mobile device certificate problems per user in the 2 year period: 3 hours total.
Total expenditure: 4 hours or $80.
These numbers are very conservative. Not only do you get more productivity, you don't get nag screens for every user every time they use a new device and number of support calls drops.
However...it *does* save $20 over 2 years.
Let's assume that it takes 30 minutes to renew the self signed certificate and you do that each year.
Let's further assume that you only waste in total 5 minutes per employee including time taken by support to sort out problems with Outlook clients, PDAs, mobile phones, OWA etc.
Finally let's assume that the average wage is $20 an hour and that you have 24 employees in the company (because the maths is easier).
Renew certificate: 1 hour across 2 years.
Sort out 1 Outlook issue and 0.5 mobile device certificate problems per user in the 2 year period: 3 hours total.
Total expenditure: 4 hours or $80.
These numbers are very conservative. Not only do you get more productivity, you don't get nag screens for every user every time they use a new device and number of support calls drops.
However...it *does* save $20 over 2 years.
- Thread starter
- #10
Thanks for thoughtful analysis!!
However, I have no luck with Godaddy. Since I run my OWA with ".com.hk" domain. Its far more expensive if I really apply a SS-Cert from HK's CA.
So that's why I hope someone can show me the procedure on how I can renew the SS-cert from my internal CA (running on Win2k3).
However, I have no luck with Godaddy. Since I run my OWA with ".com.hk" domain. Its far more expensive if I really apply a SS-Cert from HK's CA.
So that's why I hope someone can show me the procedure on how I can renew the SS-cert from my internal CA (running on Win2k3).
ryanak
IS-IT--Management
- Dec 5, 2008
- 50
Though it is ALWAYS best to have a signed cert from a known CA, it isn't the only answer.
When it comes to OWA, Outlook,RPC-over-HTTPS, and OMA, I have yet to run into a single problem with a self signed SSL. It takes only a minute longer to properly install the self signed SSL.
I certianly agree with Zelandakh, that buying the SSL cert is the best approach.
But as we all know, in this industry, depsite our recommendations we have to do what management/the client asks.
The IIS Resources Toolkit is well documented, and should work perfectly for hk domains since you tell it the domain name. you can select how many days the cert is good for, and i belive it maxes out at 3 years (maybe 5). i have only had to use it once, but i opened the program and just typed /help and read the short helpfile with examples that was on the page. took less than half an hour to setup the new cert.
When it comes to OWA, Outlook,RPC-over-HTTPS, and OMA, I have yet to run into a single problem with a self signed SSL. It takes only a minute longer to properly install the self signed SSL.
I certianly agree with Zelandakh, that buying the SSL cert is the best approach.
But as we all know, in this industry, depsite our recommendations we have to do what management/the client asks.
The IIS Resources Toolkit is well documented, and should work perfectly for hk domains since you tell it the domain name. you can select how many days the cert is good for, and i belive it maxes out at 3 years (maybe 5). i have only had to use it once, but i opened the program and just typed /help and read the short helpfile with examples that was on the page. took less than half an hour to setup the new cert.
- Status
Similar threads
- Question
- Locked
- Question
- Locked
- Helpful tip
- Locked
- Question