Thursday, March 17, 2011

Ugh, SSL Certificates

Through much trial and error I think I have it figured out:  there are three ways to go when it comes to SSL certificates for your business server needs, and each one can be painful.

  1. Self-signed certificates:  With Server 2003 a self-signed certificate meant that you just had to ignore that overly dire warning you were given in your browser.  It turns out that it is difficult for non-techies to ignore and has been quite a source of worry for the end user, who then decides that the system is broken and finds something else to do.  SBS 2008 changed that in that it becomes a pain in the neck to get your Outlook to work.
  2. Get a certificate from your favorite Certification Authority, like my favorite registrar  It's fast, easy, and somewhat expensive - a certificate for a single domain name (  is probably the one to invest inis $72.00 per subdomain for three years.  Then it gets ridiculous:  Outlook 2007+, Windows Server 2008 SBS or Exchange 2007 and 2010 want you to have a valid certificate that applies to each required subdomain, so a "wildcard certificate" would seem to be in order - I confirmed this by calling's tech support and asking them which certificate I should use to secure my SBS 2008 - they recommended the wildcard certificate as the answer to all of my needs.  $730 for 3 years.  Fortunately there are ways around this, so DON'T DO IT. See the excellent Third Tier Blog's explanation of how to configure your DNS to work around this.
  3. Get your certificates from StartSSL.  While I have not tried the truly free certificates that they offer, I did undergo the personal and organization validations which were $49.90 each (total of $99.90, I'm not sure what it will cost come renewal time) with the certs being good for two years.  Since I manage systems for multiple organizations it makes sense for me to validate each organization so that my personal details don't appear on their certificates!  Validating yourself and your organization means getting together your personal identifying docs like your drivers license, birth certificate, and phone bill, then your business identifying docs like Articles of Incorporation, Certificate of Insurance, and maybe your business license - whatever you can show that proves you are you and your business is on board with your plans to get a certificate with their name on it (meaning a letter from the owner or CEO).  When requesting certificates you have no option for a "wildcard" certificate, but you may specify as many subdomains as you desire for each of your verified domains - sweet.
An interesting note about StartSSL:  there has been some debate as to the legitimacy of StartSSL as a valid Certification Authority, especially with regards to the free certificates.  While it is easy to get their free certs if you can prove you own the domain, it is also easy to get certs from other CA's.  The barriers to entry to receive a basic SSL cert from the Registrars and other commercial CA's are:  verifying that you own the domain and paying their fees.  StartSSL's Class 1 performs domain name ownership verification.  StartSSL's Class 2 validates your identity using personal documents and business documents then calls your organization and verifies the info, even asking to speak with the owner or CEO!

The real debate is not whether freedom reduces crime with regards to SSL (IMHO it does not - even scammers know it takes money to make money) but whether users have the ability to truly trust an organization - a valid certificate is certainly NOT a guarantee you won't be ripped off, and I feel annoyed that SSL is presented in such a manner - like somehow the crummy lock icon means the web site is not owned and operated by a bunch of crooks

Since StartSSL isn't always considered when adding the Root CA's to OS's and devices you may also have some certificate issues, especially with ActiveSync - by the way, check your Exchange connectivity and certificate problems at