Petri IT Knowledgebase has published my article on the merits of choosing commercial SSL certificates over self-signed or privately issued ones for Exchange Server 2010.
The business case is clear for purchasing SSL SAN certificates from a genuine commercial certificate authority to use with Exchange Server 2007 and 2010. For an outlay of as little as a few hundred dollars the business receives the benefits of:
- Far less administrative effort to implement and maintain SSL for Exchange services
- Compatibility with devices and applications that require connection to Exchange services over SSL
- Access to Exchange services such as Outlook Web App for remote workers without undermining the security of the network or encouraging insecure behavior by users
Read the full article here.
I frequently encounter customers who request to (in some cases demand to) or have already deployed Exchange Server 2010 with a self-signed or a privately issued certificate. In 2007 it was possible though cumbersome and frustrating. In Exchange 2010 it is possible in some scenarios, equally frustrating, and in a few cases seems to be impossible to achieve 100% seamless integration and trust even for domain members (notably Exchange 2010 with Outlook 2010).
Any perceived cost savings by avoiding commercial certificates are a false economy. You spend far more on consultant and administrator effort to implement and maintain the environment with non-commercial certificates.
I generally recommend Digicert's Unified Communications certificate for Exchange Server 2010 deployments, as I find them easy to deal with and good value.