In my lab I only use certificates issued from my own CA so I don’t have to buy a certificate. But it would be nice to be able to test real public CA:s without the need to buy a certificate (see this post for a price comparison). All of them, except Entrust, offers free trials. I decided to try them out in my lab environment where i have Exchange 2007/2010 and secured using TMG/ISA.

Of an by the way, don’t forget to check out StartSSL who provide free 1-year SSL-certificates and their root CA is installed by default on Windows machines. They don’t provide any SAN certificates though.

GeoTrust (Equifax) demands a phone authentication so I didn’t even bother to continue. Thawte offers a 21-day trial and you also need to install their Thawte Test CA Root certificate. VeriSign offers a 14-day trial. In addition to your certificate, you also need to download and install their Test Root CA Certificate and Trial SSL Intermediate CA Certificate. Since they don’t issue the certificates from their real CA, the browsers nor devices (mobile phones) trust this CA so I feel these certificates are pretty useless – I can rather just issue them from my own CA. But if you’re looking for a way to test the procedure how to order certificates from them – then this might be fore you. Also, they don’t offer the possibility to trial certificates with SAN, only normal SSL certificates.

However, GlobalSign offer 45-day trial certificates from their real CA which is trusted by browsers and devices. They even offer the possibility to trial wildcard certificates and certificates with maximum of 3 SAN (however, only “hostnames” not FQDN which is a little bit sad). Have in mind that to be able to order trial certificates, the domain you order certificate for needs to have active e-mail addresses, for example ssladmin@domain.net.

After requesting a certificate, I had to approve the trial by clicking a link in an e-mail sent to the e-mail address of your choice in the domain you’re securing. After a few minutes I received an e-mail with the certificate. I had to install their Intermediate CA certificate on the server, but please note that this is not needed on the clients since they already trust the Root CA.

I re-configured my TMG rule to use the GlobalSign certificate and it worked perfectly. Thanks GlobalSign for offering this trial! It just made my life as a sysadmin much more enjoyable…

[NewRequest]
Subject=”CN=webmail.encelda.se,OU=IT,O=Encelda,L=Stockholm,S=Stockholm,C=SE”