Back in September I wrote a pair of columns about how Exchange Server 2007 uses certificates ("Certificates and Exchange, Part 1," September 7, 2006, and "Certificates and Exchange, Part 2," September 14, 2006). I pointed out the utility of having multiple subject names, or subjectAltNames, in a single certificate; this ability allows you to have a single certificate that works with, for example, autodiscover.yourdomain.com, mail.yourdomain.com, and the underlying Fully Qualified Domain Name (FQDN). Unfortunately, as far as I could tell at the time, no commercial Certificate Authorities (CAs) were issuing such certificates.

However, circumstances seem to be changing; there are now several CAs that issue certificates that allow multiple subjectAltNames. For example, last week I got an email message from Andrew Codrington at Entrust. His company just introduced Entrust Unified Communications Certificates as part of its partnership with Microsoft. The certificate includes 10 subjectAltNames for $599 per year, with the option of adding three more subjectAltNames for an additional $99.

Entrust isn’t the only CA offering these certificates, either. GeoTrust sells the Power Server ID certificate with as many as four subjectAltNames for $599.

Are these certificates good deals? Maybe. The price is certainly steep when compared to lower-cost (and, arguably, lower-security) certificates from smaller CAs such as GoDaddy.com (which, to my knowledge, still doesn’t sell multiple subjectAltNames certificates). The price difference is even more dramatic when you compare these certificates to the cost of using the self-generated certificates that Exchange 2007 installs. However, there are two things you should keep in mind when evaluating these certificates.

The first thing to think about, of course, is security. You can certainly use self-signed certificates (either the ones Exchange 2007 generates or ones generated by your CA) with Exchange, but users will see certificate warnings unless you also configure their browsers and mobile devices with your root certificates. If you don’t do so, users will have to dismiss security warnings to use Office Outlook 2007 or OWA 2007, which essentially trains them to ignore those warnings—not something you want to do.

The second factor to consider is the combination of cost and hassle. Say you want to set up Autodiscover, OWA, and SSL-protected SMTP. Buying a single certificate for $599 might seem like an extravagance until you factor in the time it would take to purchase, install, and configure separate certificates for each of these services. A high-security certificate from a major CA might cost anywhere from $75 to $200 per year, depending on the renewal term and the level of validation you purchase; buying four or five such certificates might end up costing you more than a single certificate with multiple subjectAltNames attached. You’ll have to evaluate how much time it would take to deploy multiple certificates to figure out whether the cost/benefit ratio makes sense.

One interesting aspect to the appearance of CAs that sell certificates with multiple subjectAltNames attributes is that I expect the demand for wildcard certificates to drop significantly. Most organizations don’t want certificates that will match any host on their network, only a subset. Windows Mobile 5.0 can’t handle wildcard certificates, making it impractical to use them for securing Exchange ActiveSync and OWA.

I’ll be testing Entrust’s certificate and will report back on what I find. In the meantime, drop me a note to let me know what certificate services you anticipate needing for your Exchange 2007 deployment plans.

Reader Comments

So now we need Windows Certificate Services to have the ability to do AltSubjectName properties.

No; you can use 3rd-party CAs provided you pick one that supports multiple SANs.

Do I understand this correctly--the cert can contain different domain names as well as hostnames? Your example is very close to a wildcard cert.

It's like a wildcard cert but for a fixed set of names. That makes it more trustworthy than a wildcard cert in terms of being able to validate the originating host name, and it works with Windows Mobile, which doesn't support wildcard certs.

This sounds great to me. Some of my certs need renewing later in the year and I'll definitely look into this route instead, it'll be a lot less hassle.