[clue] SSL Certificates
Jim Ockers
ockers at ockers.net
Tue Jun 7 18:13:59 MDT 2011
Hi Brad,
Brad Morgan wrote:
>
> I have a need to put a real SSL Certificate on a Windows Small
> Business Server running Exchange. The domain is currently hosted at
> GoDaddy and they provide both web hosting and email. The email is
> fetched from GoDaddy into Exchange using the POP3Connector (and sent
> using an external SMTP server ("Smarthost"). Exchange provides a web
> interface and when you attach to this web interface, you get a
> certificate error which you can click through to get to it.
>
>
>
> Blackberry smart phones can attach to this configuration and while
> they initially complain about the certificate, the phone can be
> convinced to ignore the error (permanently). A Windows smart phone
> gets the certificate error and punts, creating the need for a real
> certificate.
>
>
>
> Does anyone on this list have any experience with SSL certificates
> that can clue me in on what I need to do?
>
>
>
> Thanks,
>
>
>
> Brad
>
> ------------------------------------------------------------------------
>
>
The way SSL certificates work is as follows. The certificate
authorities somehow get their public key (root certificate) in web
browsers and internet software such as Internet Explorer, Firefox,
Chrome, etc. This might involve the exchange of large sums of money
from the certificate authority to the software company, or at least some
bribes or hookers and blow or something. Either way, it is generally
not possible for individuals to get their own root certificate authority
certificates installed in every web browser and device with internet
access because the process can get expensive.
Anyway once the root certificate is out there in every client device,
the certificate authority can then turn around and charge businesses and
individuals like yourself $bigbucks per byte for their "signature" on
your own web server's public key (the "certificate" for your web
server). With their blessing and signature, then client devices like
your phone will accept the certificate because it's been signed by
someone that the phone believes to be legit.
You have 2 options:
1. Buy a commercial SSL certificate from a commercial certificate
authority (Verisign = $$$) for your exchange server. Then install the
certificate on your web server and your phone will talk to it over SSL
and not throw any error messages.
2. Create your own certificate authority, it is super easy and will take
you 5 to 50 minutes depending on what software you have and if you can
find the right documentation. Then you'd need to import your own
certificate authority's "root certificate authority certificate" into
your phone. Then you'd create another SSL key pair (the private key and
"certificate") for your Exchange server, sign the certificate with your
certificate authority, and then your phone will accept the self-signed
certificate without throwing an error.
I hope this helps,
Jim
--
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: http://www.ockers.net/msi.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20110607/d0dd8c2d/attachment-0001.html
More information about the clue
mailing list