Here’s a list of the current major SAN (Subject Alternative Name) providers and some basic information on costs and configuration. SAN certificates have been part of the x509 standard since 1999 but only since the advent of Exchange 2007 have they been widely used.
In previous versions of Exchange, you only really needed one – for OWA, the same domain name could be used for pop3 and pretty much anything else as they were using different IP services / ports.
With Exchange 2007 however there are multiple FQDN’s that need to be accessed internally and externally that need to point to the same exchange server on the same SSL port (which of course has domain name validation), hence the need for SAN certificates.
There are a number of different ways to configure the autodiscover service the majority of which are outlined here http://technet.microsoft.com/en-us/library/bb332063%28EXCHG.80%29.aspx.
The minimum you can get away with (in the real world) is 4 names and they’ll usually take the following structure;
autodiscover.<SMTP address name>.com | For external autodiscover connections
mail.<SMTP DNS name>.com | For external OWA, TLS, & POP3S
CASservername.<internal DNS name>.local | For internal FQDN resolution
CASservername | For internal ’server name only’ resolution
Prices have been coming down steadily in the recent months for SAN certificates (it’s a good job as when Exchange 2007 first arrived they costed $1000+). Microsoft currently only recommend 3 SAN suppliers (Globalsign, Entrust & Comodo) – makes you wonder why more haven’t asked to be on that page….
Below is an overview of what’s currently (easily) available, if I’ve missed you off the list – then please contact me and I’ll get you added….
DigiCert (www.digicert.com) – $328 per year for 4 names
Verisign (www.verisign.co.uk) – $1,200 per year for 4 names
GlobalSign (www.globalsign.co.uk) – $195 per year for 4 names
Entrust (www.entrust.net) - $449 – 10 names
Comodo (www.comodo.com) – $284 per year – 4 names
RapidSSL (www.rapidssl.com) – $199 – unlimited names
Certificates for Exchange (www.certificatesforexchange.com) $59 per year – 5 names (can be full domain names)
Historically you had to be careful to ensure the chosen public certificate authority supported the application it was securing, but all the above provides report 99% browser compatibility and all will work with Exchange 2007+.
On the face of it – certificates for exchange appear to be offering an astonishing deal, but once you check the site out and realize is a godaddy account inside a wrapper – might make you think twice.
Which SAN certificate should you choose?
I guess it’s down to budget and technical ability – the godaddy cert is very cheap, but if something unforseen happens during its creation or installation then it’ll be quite painful to sort out (It’s happend to me!). The providers that charge more for their certificates usually have better support structures in place that’ll expediate the resolution of any problems that may arise.
Please comment with any experiences that you think may benefit other users and please keep them rant free