Self-Signed SSL Certificates and You
Sometimes in small business a few hundred dollars can mean a lot. One of the many ways to try and squeeze that out of your IT budget could be eliminating the semi-annual renewal cost of an SSL cert from a globally trusted CA (Certificate Authority). Let’s be honest, CA’s are making a killing by selling trusted certificates. You should know that simply because it’s not trusted, it doesn’t mean it’s not secure (Malicious sites have used self-signed certs to exploit, but you are not malicious… right?). Your self-signed cert is providing the same encryption as many of the basic certificate offerings of all these CA’s and encrypting the data on your site just fine. However, if you are like 99% of us, your internal servers running the CA service are not globally trusted as “known good” CA’s. So people who don’t know you may get scared away, thus not a great idea for your secured SSL online shopping cart. However, for sites and tools used only by personnel (Outlook Web Access, SSL-VPN, SharePoint site, Extranet, etc.) it is a viable option. Although, If you are having external clientele accessing your SSL secured site by using an globally trusted certificate provider would make you look more professional and legitimate (RED stop signs and warnings seem to scare people on the internet).
Using the basic self-signed options within a Windows Server may give you some headache, because it will automatically name the cert after the local hostname of your server. This will cause a hostname mismatch that just about every web browser will warn you about ( THIS SITE IS NOT SAFE! DO NOT PASS GO! THE CERTIFICATE IS INVALID!). If you don’t want to spend some cash for a Verisign, GoDaddy or other equiv. trusted certificate just to make the “red bar” go away in ie7, you can at least make the names match and extend the life of any self-signed cert.
Use the following “Self-SSL” tool out of the “ISS 6.0 Resource Kit” on your WEB SERVER to change the issuer from the hostname of their exchange server to mail.domain.com or owa.domain.net or whichever.
OPEN SELFSSL OUT OF THE IIS 6.0 RESOURCE KIT @ COMMAND LINE TYPE:
Selfssl /N: CN=mail.domain.com /T /V:1460
Do you want to replace the ssl settings for site 1 y/n? Y
You are done… you just set your new cert name and made it expire in 4 years (1460 days). Now when someone installs the cert their browser will accept it because it matches the name of your site. To keep from having to install the certificate on the pc’s outside of your windows domain you will need a certificate from a globally trusted authority, otherwise you will be fine using normal domain tools like Group Policy and the Windows CA service (Otherwise, good luck becoming an root certificate authority!).
Purchasing Certificates? Here are some great resources for all you ready to step-up and buy trusted certificates for your domain:
Single Certificate ($):
Purchase for one site: secure.mydomain.com
Great for multiple domains and Exchange 2007: can have multiple domains and hostnames (subdomains). You can purchase more expensive UCC’s that allow up to 100 domains/subdomains. A single UCC Cert could house all of these:
mail.mydomain.com; mail.hisdomain.com; autodiscover.mydomain.com; autodiscover.hisdomain.com; www.mydomain.com; ssl.hisdomain.com, servername.domain.local
Great for multiple subdomains *.mydomain.com, one cert for all your hostnames (subdomains). Great for creating secure sites on the fly without having to create a new CSR.