Microsoft made a smart move when they enabled a self signed SSL certificate for Exchange 2007 by default. This change gave their customers an easy way to encrypt their OWA sessions, however, self-signed certs have some significant drawbacks. The most obvious problem is that your browser will give you a certificate warning when connecting to an OWA session because the cert is not signed by a recognized Certificate Authority (Verisign, Thawte, DigiCert, etc). SSL certificate prices have dropped considerably in the past couple of years so you should strongly consider buying a certificate from a trusted 3rd party. (Anyone but Godaddy, more about that later)
Implementing a 3rd party certificate to Exchange is not complex but the steps must be done in order. This guide will help you through the process while avoiding the pitfalls.
Step 1: Generating a proper Certificate Signing Request (CSR)
A CSR (Certificate Signing Request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. (via Wikipedia) To create a CSR start by visiting DigiCert’s CSR Generation Wizard [1].
Fill in the the appropriate fields. Make special note to include autodiscover.domain.com (for more info on Autodiscover Service see the Technet Whitepaper: Exchange 2007 AutoDiscover Service [6]) and include your Exchange server’s NetBIOS name as well as its FQDN. After filling out the form click Generate it will provide you with the command syntax for Exchange Management Shell.
Open the Exchange Management Shell and paste in the generated text.
New-ExchangeCertificate -GenerateRequest -Path c:\mail_yourdomain_com.csr -KeySize 1024 -SubjectName “c=US, s=Arkansas, l=Your Town, o=Your Company, ou=Information Technology, cn=mail.yourdomain.com” -DomainName autodiscover.yourdomain.com, EXMAIL01 -PrivateKeyExportable $True
Your CSR will be created and saved to C:\mail_yourdomain_com.csr.
Step 2: Purchase a Certificate from a Certification Authority (CA).
You first need to consider which certificate to purchase. The options are usually classified as a SSL certificate or a Unified Communications Certificate. If you only have one Exchange server you only need the single cert. However, if you have multiple servers you should consider the Unified Certificate because it enables you to secure multiple URLs with just one certificate. For more info on Microsoft partners that offer UCCs see MS KB929395 [7].
Choose your CA, Choose your Cert, submit your CSR, and then wait for the cert to be generated.
*Note: I don’t recommend using Godaddy for your Cert Authority because they do not accept “Subject Alternative Names” only the common name and this can cause issues. There are plenty of good value options so take this into consideration.
Step 3: Apply the 3rd Party CA certificate to Exchange
First, you need to import our CA certificates into our Certificate services on our server.
- Open MMC -> Add/Remove Snapin -> Certifiates -> Computer Account -> Local Account
- Then import the intermediate certificate under Intermediate Certificate Authorities, drilling down to Intermediate, right-click -> All tasks -> Import Cert.
- Then import the root certificate & owa certificate under Trusted Root CA using the same method.
After you copy the CA provide your_domain_name.cer file to the C:\ drive of your Exchange Server, Open the Exchange Management Shell.
Run the following commands
- Import-ExchangeCertificate -Path C:\your_domain_name.cer
- Get-Exchangecertificate
- This command will list your Exchange certificates. It should display 2, the self signed, and your recently imported trusted CA cert. Copy the “thumbprint” of your trusted CA cert. The self signed certificate should have the internal domain name of your server (e.g. mailsv01) and the public cert should have your MX record DNS name (e.g. mail.contoso.com)
- This command will list your Exchange certificates. It should display 2, the self signed, and your recently imported trusted CA cert. Copy the “thumbprint” of your trusted CA cert. The self signed certificate should have the internal domain name of your server (e.g. mailsv01) and the public cert should have your MX record DNS name (e.g. mail.contoso.com)
- Enable-ExchangeCertificate -Thumbpring <string> -Services “SMTP, IMAP, POP, IIS”
- In the <string> field past in the thumbprint that you copied in the previous step.
- In the <string> field past in the thumbprint that you copied in the previous step.
The Services parameter can be any or all of the following values: IMAP, POP, UM, IIS, SMTP. If you are only concerned with OWA you only need to enable it for IIS. To disable a certificate, set the Services parameter to ‘None’.
To verify the certificate installation run
Get-ExchangeCertificate -DomainName your.domain.name
If you have any comments, questions, or corrections please feel free to comment or contact me.
Reference Links for more information:
- Generate CSR the easy Way with DigiCert
- SSL Certificate Installation in Exchange 2007
- Generate CSR from Exchange
- Exchange 2007 lessons learned – generating a certificate with a 3rd party CA
- How to Configure SSL Certificates to Use Multiple Client Access Server Host Names
- Technet White Paper: Exchange 2007 Autodiscover Service
- Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007 (KB929395)
- Install a GoDaddy SSL Certificate on IIS 7
