Login:

How to use SSL Certificates with Exchange 2007

The Microsoft Exchange Blog Team has posted a great introduction and tutorial to using SSL certificates with Microsoft Exchange 2007.

We wanted to supplement previous blog posts on this topic with an overview of how Exchange 2007 uses certificates and a walk-though of how a typical small company might think about this topic. Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to securing web services, Exchange 2007 has also incorporated Transport Layer Security (TLS) for session based authentication and encryption. TLS has been around for a while but the Exchange 2007 implementation is able to mutually authenticate with external transport servers, internal servers and Outlook 2007 clients.

The article outlines a typical situation of a small business using Exchange and then proposes two solutions: using a Unified Communications (UC) certificate or using individual certificates. The instructions for the more common method of using UC certificates is as follows:

The SAN cert method

You will need to contact a 3rd party CA that supports these types of certs (see link to KB929395 above)

Next, you need to know all of the Subject Alternative Names that you need to register. Here is the list that applies in Tom's scenario (for the '-domainname' parameter):

mail.contoso.com
contoso.com
contoso.local
autodiscover.contoso.com
Server01.contoso.local
Server01

Officially, the NetBIOS names of the server are not required. But many users and admins like to use OWA internally and this will prevent unnecessary warnings about the cert when they log on. There are no ill effects from adding internal names but they are not necessary.

This is the Exchange Management Shell (EMS) command Tom would enter to generate the cert request to be provided to the 3rd party CA in order to generate the actual certificate:

New-Exchangecertificate -domainname mail.contoso.com, contoso.com,contoso.local, autodiscover.contoso.com, server01.contoso.com, server01 -Friendlyname contosoinc -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true –subjectname "c=US o=contoso inc, CN=server01.contoso.com"

We have found that the '–subjectname' option is the most confusing. The help contents in EMS are vague as well. The best description is found in the TLS whitepaper mentioned at the beginning of this post so we're not going to reproduce it here.

As we just stated, the above command will generate a certificate request file you can then submit to the CA of your choosing. Once they have processed your request and you have the cert, you need to install it onto your default web site. You don't install the certificate using the IIS Admin Console, you need to do it using the management shell.

First you have to import it:

Import-exchangecertificate –path <full path to cert file>

Then enable it:

Enable-exchangecertificate

When you run the above command you will be prompted to enter the name of the service you want to enable this certificate for. You can enable the cert for IIS, POP3, IMAP, SMTP, or UM depending on your circumstance. You can enable it for multiple services with the enable command by adding the following parameter:

-services IMAP, POP, UM, IIS, SMTP

After that it will prompt you for the thumbprint, so just copy and paste it from the results of the import procedure mentioned above. If for some reason you don't have the thumbprint in the same window you can get it by typing the following monad command:

Get-Exchangecertificate

You can also specify the thumbprint when you execute the 'enable-exchangecertificate' command by adding this parameter:

-thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4

Combined it would look like this:

Enable-exchangecertificate –services IIS, UM, SMTP –thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4

Make sure you copy the correct thumbprint if you have more than one. You can tell by running the 'get-exchangecertificate' PowerShell command and match up the subject with the correct thumbprint.

Next you need external DNS records that point to the IP address of your CAS server for any external name mapped to this certificate.