Have you had a service that uses SSL/TLS, such as Outlook Web App (OWA), Exchange ActiveSync (EAS), AutoDiscover, or perhaps just a web site, impacted due to an expired certificate? Validity of digital certificates must be monitored, just as we monitor domain name registrations and renewal dates. Overlooking the fact that certificates expire and need to be renewed is perhaps one of the more common PKI-related issues I’ve seen over the years.
Exchange 2010’s certificate management interfaces in EMC make it easier to manage and renew certificates, including the visual queues for invalid or expired certificates, but the process has been super-easy in the shell as well (see related post, ‘Exchange Server 2007: Renewing the self-signed certificate).
This week I received a call from DigiCert, a CA which continues to impress (see DigiCert: A Certificate Authority with excellent customer service), reminding me that a certificate was going to expire soon. This manual intervention occurred after a couple of email reminders. Nice as it is to be alerted by automated processes, getting a phone call from a real person comes across as a breath of fresh air and another example of great customer service.
Further, the fact that the call didn’t go on the lines of “Give us your credit card number for renewal”, or an extended sales pitch if you will, but instead came across as a short, friendly courtesy reminder added to the positive experience.
Another “certificate renewal” experience with a CA stands apart in contrast. The CA recently auto-renewed a certificate and charged me for the renewal — without my having initiated the certificate renewal process, or receiving a new certificate! The certificate in question was for a test lab, never meant to be renewed. Their customer service staff promptly removed the charge when called, but it’s annoying nonetheless, and a waste of time. Unlike automated renewals of domain name registrations, automated renewal of digital certificates isn’t a good thing (particularly when the only thing that’s changed is the balance on your credit card).
DigiCert also has some great resources for Exchange and OCS certificate requests, including their Exchange 2010 CSR Creation video. You can find it, and other resources for Exchange certificates, at SSL Certificates for Microsoft Exchange on their web site.
Note: As a former Exchange MVP, DigiCert has provided me certificates to use in test labs, without which I may not have had the opportunity to try their service.