In response to my previous Exchange tip, Exchange 2007 and certificates, TechRepublic reader and blogger Justin Fielding asked this question: “Can you self-sign certificates for use with Exchange? If so, what is the best way to do this?” I’m going to answer the first part of the question in this tip which will also answer the second part.When you initially install Exchange 2007, a self-signed certificate is automatically generated and put into use on the new machine. So that answers the second part of the question. Now, the real question is this: Should you use this self-signed certificate in a production environment.
The answer: Probably not. At least not long-term.
Not all of Exchange 2007 services will work with the default self-signed certificate. Of most interest, Outlook Anywhere (formerly RPC over HTTP) will not work. OWA and ActiveSync will work with the self-signed certificate but in OWA, users will receive a certificate warning in IE7 and ActiveSync users will need to manually copied to the trusted root certificate store on their mobile devices. The reason: Windows mobile devices require a path back to a root certificate in order to function. If you’re supporting a large Exchange infrastructure, this copying task not an ideal scenario. If you have just a few mobile users and your other users don’t mind certificate warnings in OWA, you might be fine with the default certificate option.
Note: I’ve heard rumors that Windows Mobile 6 will support ActiveSync 4.5’s ability to get device certificates to ease third-party certificate installation. As soon as Windows Mobile 6 is made available for my Treo 750, I’ll test this possibility.
As a final note in the self-signed certificate story, the initial certificate is valid for only twelve months after you install your server. Therefore, at some point, you either need to renew the self-signed certificate, install a third-party certificate or implement a full-blown Public Key Infrastructure in your organization. My recommendation for small- to mid-sized organizations: Spend a few hundred dollars and get an Exchange 2007 Unified Communications Certificate. It will save you some headache and you can rest assured that your SSL-based services will work.
