[clue] SSL Certificates

Jim Ockers ockers at ockers.net
Tue Jun 7 18:13:59 MDT 2011 

Hi Brad,

Brad Morgan wrote:
>
> I have a need to put a real SSL Certificate on a Windows Small 
> Business Server running Exchange.  The domain is currently hosted at 
> GoDaddy and they provide both web hosting and email. The email is 
> fetched from GoDaddy into Exchange using the POP3Connector (and sent 
> using an external SMTP server ("Smarthost"). Exchange provides a web 
> interface and when you attach to this web interface, you get a 
> certificate error which you can click through to get to it.
>
>  
>
> Blackberry smart phones can attach to this configuration and while 
> they initially complain about the certificate, the phone can be 
> convinced to ignore the error (permanently). A Windows smart phone 
> gets the certificate error and punts, creating the need for a real 
> certificate.
>
>  
>
> Does anyone on this list have any experience with SSL certificates 
> that can clue me in on what I need to do?
>
>  
>
> Thanks,
>
>  
>
> Brad
>
> ------------------------------------------------------------------------
>
>   
The way SSL certificates work is as follows.  The certificate 
authorities somehow get their public key (root certificate) in web 
browsers and internet software such as Internet Explorer, Firefox, 
Chrome, etc.  This might involve the exchange of large sums of money 
from the certificate authority to the software company, or at least some 
bribes or hookers and blow or something.  Either way, it is generally 
not possible for individuals to get their own root certificate authority 
certificates installed in every web browser and device with internet 
access because the process can get expensive.

Anyway once the root certificate is out there in every client device, 
the certificate authority can then turn around and charge businesses and 
individuals like yourself $bigbucks per byte for their "signature" on 
your own web server's public key (the "certificate" for your web 
server).  With their blessing and signature, then client devices like 
your phone will accept the certificate because it's been signed by 
someone that the phone believes to be legit.

You have 2 options:

1. Buy a commercial SSL certificate from a commercial certificate 
authority (Verisign = $$$) for your exchange server.  Then install the 
certificate on your web server and your phone will talk to it over SSL 
and not throw any error messages.

2. Create your own certificate authority, it is super easy and will take 
you 5 to 50 minutes depending on what software you have and if you can 
find the right documentation.  Then you'd need to import your own 
certificate authority's "root certificate authority certificate" into 
your phone.  Then you'd create another SSL key pair (the private key and 
"certificate") for your Exchange server, sign the certificate with your 
certificate authority, and then your phone will accept the self-signed 
certificate without throwing an error.

I hope this helps,
Jim

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: http://www.ockers.net/msi.html


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20110607/d0dd8c2d/attachment-0001.html

More information about the clue mailing list