Exchange 2013 cu4

we have been using Verisign SSL certificate for our OWA URL. our only purpose is so that users won't get the SSL/unknown certificate error when they goto our OWA site. in this regard, can i shift from using a commercial (and expensive) SSL certificate provider to one that offers them for free? if i stick to the same details i used in the current certificate, do you think i'll face some issue if i now apply an SSL certificate from a free provider?

Hi Reno,

Its best to use a SSL X.509 certificate with all the domains primary and alternative used by your exchange setup.

It best to be a SSL SAN or Wildcard, from a Trusted Third-party or commercial CA. With self-signed and PKI-based certificates you have extra headache for importing to the client.

Use the following criteria when you select a CA to buy your certificates from:

• Ensure the CA is trusted by the client software (operating systems, browsers, and mobile phones) that will connect to your Exchange servers.

• Choose a CA that says it supports Unified Communications certificates for use with Exchange server.

• Make sure that the CA supports the kinds of certificates that youll use. Consider using subject alternative name (SAN) certificates. Not all CAs support SAN certificates, and other CAs don't support as many host names as you might need.

• Make sure that the license you buy for the certificates allows you to put the certificate on the number of servers that you intend to use. Some CAs only allow you to put a certificate on one server.

• Compare certificate prices between CAs.

Digital certificates and SSL:

https://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx

Free/cheap SSL certificates work just fine as long as they are trusted by the clients. Generally the free ones don't allow multiple names (SAN/UCC) which is OK for the OWA URL, but I prefer to also include autodiscover.domain.com to facilitate autodiscover for Internet devices.

Just a note that if Exchange 2013 doesn't trust the cert then it won't show in the list of certificates in the Admin interface.

Later this year a new project offering free certificates will go live: https://letsencrypt.org/

Hi Reno,

Thank you for your question.

I agree with above suggestion.

In addition, we should re-assign the certificate on the Exchange server and assign the service on this free the certificate. Then if this certificate is trusted in client, we could not do anything in client; if not, we need to import the certificate to client so that users wont not get the certificate error.

We could refer to the following link to assign a new certificate:

https://technet.microsoft.com/en-us/library/bb125165(v=exchg.150).aspx 

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim