Recent Posts

Tags

News

  • Search

    <input class="BlogSearch" type="text" name="searchBox" id="blogSearchText" value="" onkeypress="return blogSearch(event, this);"> <input type="button" value="Search" onclick="return blogSearch2('blogSearchText');" class="BlogSearchButton"> <script type="text/javascript"> function blogSearch(event, oInput) { var keyCode = (event) ? event.keyCode : keyStroke.which; if (keyCode == 13) { top.location = 'http://www.google.com/search?q=' + escape(oInput.value) + '+inurl%3Ajavier+site%3Amsmvps.com'; return false; } return true; } function blogSearch2(oInputId) { var oInput = document.getElementById(oInputId); top.location = 'http://www.google.com/search?q=' + escape(oInput.value) + '+inurl%3Ajavier+site%3Amsmvps.com'; return false; } </script>

Community

Email Notifications

SBS Blogs

Helpful Sites

Archives

Javier's SBS Wonderland

Take the red pill and see how far down the rabbit hole goes...

Cheap SSL Certs

I'm on some sort of vacation since last week at home in Puerto Rico... I say “some sort” because I'm actually upgrading my last SBS2k box to 2k3 and using the old box as a terminal server. While I was preparing the migration the client asked if there was a way to take out the “Security Warning“ page that they get when they access OWA (and RWW in the future) from a public computer (one that the cert has not been imported previously)... and I told him that it would cost $400-800/yr to get a Verisign cert to fix that. We both knew that there is no way they were going to pay that for getting rid of such small annoyance.

The next day I got curious, researched this a little more and found out that there were many “trusted“ companies (I mean trusted in the sense that IE and most browsers already trust the ssl cert authority) that sell SSL certs for less than $30/yr. So, I asked my client if the “convinience” of not having to click on the security warning box was worth $30 and they said yes. So, I ran the SSL cert wizard on the SBS box to issue the CSR, then I went to www.godaddy.com and got a Turbo 128-bit SSL Cert in about 10-15 minutes. The browser (and more importantly my client) was happy.

This reinforced my beliefs on a couple of things...

1) This is not something I would normally do... but for $30 is not a bad deal.

2) Verisign overcharges for pretty much everything... I don't know how people keep doing business with them. Who cares where the cert comes from (i.e. normal people don't check who's the issuing authority)?

3) Anyone can get an SSL cert. The “verification” process was a joke (just a reply to an email sent to the domain owner). While I really don't care for SBS, some people think that just because there is a “secure” icon on the browser the transaction is really secure.

That's all for now... :-)

 

Posted: Dec 27 2004, 09:59 PM by Javier | with 9 comment(s)
Filed under: ,

Comments

Javier said:

Bravo, Javier!
Yes, although these certs are issued by secondary providers, for our purposes they work just as well as the certs issued by the root CAs.

I also have suggested to many to use a commercial cert.

Also, be aware that the commercial cert is also a <must> for those companies that value security and support non-Domain clients... the self-signed cert SBS generates can be vulnerable to impersonation because it's not issued by a CA which is automatically trusted. We've all seen that Cert popup warning... The cert is validated as having the proper name, but <cannot be verified>.

A commercial cert solves this problem.
Note that if the client machine is a member of the Domain, it will trust certs issued by SBS.

Tony
# December 29, 2004 9:10 AM

Javier said:

Javier:

Going to Geotrust or one of its resellers (www.innossl.com>Professional Level Solutions>Microsoft Small Business Server SSL) you can purchase Certs specifically for the Microsoft SBS2003 environment. Trust Certs for up to 4 Servers for approx $250.00 total. Also in about 10 minutes.

Microsoft Small Business Server 2003 ™ - QuickSSL Premium certificates designed and optimized for securing multiple logical servers with a single certificate on Microsoft Windows Small Business Server 2003.

# January 6, 2005 9:35 AM

TrackBack said:

^_^,Pretty Good!
# April 15, 2005 5:09 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 18, 2005 9:34 PM

Javier said:

You could use the Windows AD-integrated Certification Authority to add trusted SSL certificates within your SBS enviornment (http://addicted-to-it.blogspot.com/2005/05/ssl-overview-for-sql-reporting.html). Now, it's not going to help users who are accessing OWA/RSS/whatever from clients that aren't part of your AD-enviornment, but if they're connecting from a laptop that's joined to your AD-envionrment they shouln't get the warning when using an AD-integrated CA. And in an SBS enviornment the business owner/office manager is the one who is driving the IT decisions, and is the one concerned about the inconvenience of clicking Yes. If you're dealing with SBS-customers, you're dealing with people who don't want to spend a dime on a "convenience" feature, and using the integrated CA will probably satisify the decision maker without having to even a "cheap" SSL-cert.
# June 7, 2005 10:19 AM

Javier said:

Actually, self-signed certs are deployed to all members of the SBS domain if you use the wizards. If you are going to access secure sites on computers that you have control over them it makes no sense to buy a SSL cert.

Cheap SSL certs are mostly for people that need to access OWA/RWW from outside and they do it from different computers every day (ie. Internet Cafe) and hate clicking OK to the security warning. I certainly don't see many people buying them, but for $30/yr is not really a bad deal at all (as I stated on #1).
# June 7, 2005 10:39 AM

TrackBack said:

# June 13, 2005 12:50 AM

TrackBack said:

Cheap SSL Certsooeess
# July 22, 2005 12:16 AM

TrackBack said:

Cheap SSL Certsooeess
# August 2, 2005 7:57 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)