locked
Godaddy.com UCC ok to use? RRS feed

  • Question

  • I need to purchase a UCC cert for a new OCS 07 edge server deployment and I'm comparing the godaddy.com UCC ($70 per year for 5 sans) to the entrust UCC ($600 per year for 10 SANS). The cost difference is clear but are there any other differences? Is anyone successfully using a Godaddy.com UCC on their OCS edge server?

     

    Previously I purchased a godaddy.com cert for use and I could not get it working due to a bad chain of certs and the intermediate certs, is this still aproblem for godaddy.com certs?

     

    I only have PIC and external access configured on the edge server so I assume I will only need one san on the cert?

    Subject : external server name configured on the ocs edge interface

    SAN : sip.domain.com

     

    Any comments or feedback is appreciated. Thanks!

    Wednesday, March 12, 2008 1:05 PM

All replies

  • They are on the official supported list so I would say yes

    http://support.microsoft.com/kb/929395

     

    The following table includes the name and the Web site for the certification authorities that issue Unified Communications Certificates for Microsoft Exchange and for Communications Server 2007.

    Certification authority Web site
    Entrust http://www.entrust.net/microsoft/ (http://www.entrust.net/microsoft/)
    Comodo http://www.comodo.com/msexchange (http://www.comodo.com/msexchange)
    DigiCert http://www.digicert.com/unified-communications-ssl-tls.htm (http://www.digicert.com/unified-communications-ssl-tls.htm)
    Go Daddy http://www.godaddy.com/

     

    Johan

    Wednesday, March 12, 2008 11:46 PM
  • You can use GoDaddy certificate for other purpose on OCS servers.. but GoDaddy certificate is not supported for Public IM Connectivity.. There are so many issues you might face if you are using GoDaddy certificate.

     

    It is not recommended or supported to have GoDaddy cert on Access Edge Server or Access Proxy Server if you are using these servers for PIC.

     

     


    R. Kinker
    MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
    http://www.OCSPedia.com
    http://www.ITCentrics.com

     

    Thursday, March 13, 2008 8:25 AM
  • Could you explain why these certificates are not good for EDGE Server and PIC access?

    Why would they be on the supported list from Microsoft and not work?

     

    Johan

     

    Thursday, March 13, 2008 8:45 AM
  •  

    GoDaddy certificates won't work with PIC. GoDaddy certificate chain is not in the default Authority list at the MSN and AOL side. So specifically MSN does not support this and I can say from past work I
    know that AOL will also not import trusted authorities. With PIC all it takes is one cloud to not support something to really make the entire model not support it.

     

     

     


    R. Kinker
    MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
    http://www.OCSPedia.com
    http://www.ITCentrics.com
    Thursday, March 13, 2008 8:51 AM
  • Thanks,

     

    Can you comment on the other Certificate providers in the support list?

     

    Certification authority Web site
    Entrust http://www.entrust.net/microsoft/ (http://www.entrust.net/microsoft/)
    Comodo http://www.comodo.com/msexchange (http://www.comodo.com/msexchange)
    DigiCert http://www.digicert.com/unified-communications-ssl-tls.htm (http://www.digicert.com/unified-communications-ssl-tls.htm)

     

    Johan

     

    Thursday, March 13, 2008 8:55 AM
  • Entrust

     

    The AOL Session Initiation Protocol (SIP) gateway uses both the server authentication attribute and the client authentication attribute of the certificate to establish an encrypted channel between servers. By default, Entrust certificates do not include the client authentication attribute. Therefore, the PIC feature does not work when you use Entrust certificates to connect to AOL.

    By contrast, MSN and Yahoo use only the server authentication attribute of the certificate. Therefore, the PIC feature does work when you use Entrust certificates to connect to MSN and Yahoo.
    http://support.microsoft.com/?id=918284

     

    Rest of the two certs are supported... I'd still recommend for Verisign and Thwate.. These are widely accepted...

     

     

     


    R. Kinker
    MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
    http://www.OCSPedia.com
    http://www.ITCentrics.com

     

     

    Thursday, March 13, 2008 9:03 AM
  • Excellent, thank you for the information and providing specifics on the cert reqs and godaddy.com certs.

     

    The digicert UCC seems to be the most cost effective offering and will most likely be the cert of choice if I can get the cost approved...

     

    I didn't see any UCCs on verisigns or Thawte's website, do they offer UCCs? Thanks again.

    Thursday, March 13, 2008 4:31 PM
  • Very interesting topic!

    Any feedback about Comodo or DigiCert?

     

    Andrew

     

    Friday, March 14, 2008 3:46 PM
  • Personally I wouldnt recommend COMODO cert, if you are planning to use it with the Tanjay IP phones from external network.

    We received the cert from COMODO in a form of a certificate chain, that includes an intermediate CA, and I think that is the problem, as Tanjay phones are not able to connect from home to the edge server, and stop with a cannot download certificate error / timeout. Didnt check whether it works with PIC or not.
    Friday, March 14, 2008 8:57 PM
  •  Kinker wrote:

    Entrust

     

    The AOL Session Initiation Protocol (SIP) gateway uses both the server authentication attribute and the client authentication attribute of the certificate to establish an encrypted channel between servers. By default, Entrust certificates do not include the client authentication attribute. Therefore, the PIC feature does not work when you use Entrust certificates to connect to AOL.

    By contrast, MSN and Yahoo use only the server authentication attribute of the certificate. Therefore, the PIC feature does work when you use Entrust certificates to connect to MSN and Yahoo.
    http://support.microsoft.com/?id=918284

     

    Rest of the two certs are supported... I'd still recommend for Verisign and Thwate.. These are widely accepted...

     

     

     


    R. Kinker
    MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
    http://www.OCSPedia.com
    http://www.ITCentrics.com

     

     

     

    I disagree completely. With OCS you're buying a SAN cert, period. Neither Verisign or Thawte will issue you one of those so let's just rule them out immediately.

     

    Entrust's standard SSL cert is what that KB article references, but that's irrelevant because you'll need their UC cert for OCS anyway which does support the client EKU and works just fine with AOL. I have two clients configured in this manner with an Entrust certificate that works perfectly fine.

    Friday, April 11, 2008 8:04 PM
  • Not sure about PIC but they will work for the other edge roles. Create a certificate in OCS that DOES NOT have the SANs, you will add the SANs within godaddys site when you request the certificate.

    Tuesday, April 15, 2008 7:23 PM
  • I can confirm that Godaddy.com UCC works fine with OCS (also with PIC / Public IM) and Exchange 2007 as well.

     

    In my case I have OCS Public IM (PIC) pointing to externalservername.domain.com. During the last 1½ year I have tried serveral certificates on the OCS edge server.

     

    This is what happened with a dirt cheap standard RapidSSL certificate (single FQDN without SAN - at that time priced at 13 USD/year at servertastic.com):

    AOL - 100% OK (presence and IM - both directions)

    Yahoo - 100% OK (presence and IM - both directions)

    MSN - 50% not OK (no presence and IM worked only when initiated outbound from OCS)

    It seems that MSN requires a SAN with sip.domain.com in the certificate. Actually I think this certificate would have worked fine if I had just registered my external name as sip.domain.com and pointed IM to that instead of externalservername.domain.com. As it takes up to 1 month to change the PIC record I (and in a previous case actually 3 months due to a provisoning process error) I couldn't wait that long.

    So I opted for the cheapest alternative with SAN at that time:

     

    Comodo.com UCC with up to three SAN (at that time priced at 298 USD/year)

    AOL - 100% OK

    Yahoo - 100% OK

    MSN - 100% OK

    This certificate had externalservername.domain.com as Common Name and two SANs: externalservername.domain.com and sip.domain.com

     

    Recently my Comodo.com UCC certificate expired so I opted for a GoDaddy UCC with up to five SAN (currently priced at 48 USD/year if you purchase 3 year or more at lottacheapdomains.com)

    AOL - 100% OK

    Yahoo - 100% OK

    MSN - 100% OK

    This certificate has externalservername.domain.com as Common Name and five SANs: externalservername.domain.com, sip.domain.com, mail.domain.com, autodiscover.domain.com and exchangeservername.domain.com

    A nice and relatively cheap alternative to the other UCC's available.

    The only problem I experienced was during certificate request as I initially used the OCS certificate wizard which insisted on putting my Common Name (externalservername.domain.com) in as a SAN which GoDaddy didn't like. Instead I created the request with the "new-exchangecertificate" command in Exchange 2007 without the Common Name as a SAN (it ended up with externalservername.domain.com as a SAN anyway when the certificate was issued). I enabled the certificate in Exchange 2007, exported it from the Exchange server and imported it into the OCS server. After assigning it to all interfaces everything works like a charm. So a GoDaddy certificate is now happily running on my OCS and Exchange 2007 server.

    Wednesday, July 23, 2008 7:27 AM
  • Correction: all of a sudden Public IM (PIC) doesn't work with MSN and Yahoo when I use the GoDaddy UCC on the edge server outside interface (AOL is still ok however)

    I replaced it with my 13 USD RapidSSL certificate (externalservername.domain.com with no SANs). I haven't used the RapidSSL cert for a while (must be more than one year ago). To my big surprise the RapidSSL cert now seems to work 100% with AOL, Yahoo and MSN.

    Nice - but strange that the GoDaddy UCC worked for a while and now suddenly stops working - will keep you updated after testing some more.

    Wednesday, July 23, 2008 9:28 PM
  •  Kinker wrote:

    You can use GoDaddy certificate for other purpose on OCS servers.. but GoDaddy certificate is not supported for Public IM Connectivity.. There are so many issues you might face if you are using GoDaddy certificate.

     

    It is not recommended or supported to have GoDaddy cert on Access Edge Server or Access Proxy Server if you are using these servers for PIC.

     

     



     





    thats why I told that you might encounter problem with Go Daddy....I have seen bunch of intermittent issues with GoDaddy in case of PIC. GoDaddy cert will work absolutely fine for other OCS services.


    Regards
    R. Kinker
    MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
    http://www.OCSPedia.com
    http://www.ITCentrics.com
    Thursday, July 24, 2008 7:06 AM
  •  

    We have a couple of more cost conscious clients that are using Go Daddy certificates for their access edge and have successfully federated with all 3 PIC providers.  I believe the days of not supporting GoDaddy were addressed long ago and the big 3 have finally installed the root certificate update.
    Monday, July 28, 2008 1:10 PM
  • This issue was resolved in March 2008:

    http://blogs.technet.com/toml/archive/2007/03/26/pic-godaddy-certs.aspx

     

    best regard

    Jan 

    Sunday, September 21, 2008 7:37 PM
  • If GoDaddy was on the list of UCC certificate providers at one time, they are not on the list any longer (accurate as of the date of this post, March 5, 2009).

    HikingStick
    Thursday, March 5, 2009 7:07 PM
  • While I can't speak on PIC at all, I do have a personal issue with GoDaddy for Access Edge when in use with mobile devices.  Have had a lot of odd issues with GoDaddy trust issues on WM5 and earlier WM 6.0 phones.

    Maybe I am just lucky.
    Tuesday, March 24, 2009 4:12 PM