If you are stuck with the only option of running exchange from a locally installed CA rather than a purchased SSL cert, you will need to generate the certificate through the web console using the following steps. I do recommend you use a UCC cert from Go Daddy however if you cannot then read on!
- Browse to your Certificate services web console, via https://server.local/certsrv
- Select a new request, and choose the advanced option on the next screen.
- Submit a certificate request by using a base 64 encoded CMC or PKS #10 file.
- Open the certificate request that you generated from my previous blog post. This just needs to be opened in your favourite text editor.
- Copy the contents of the file and paste it into the request field on the web console. Select the server type as a web server, and leave all other attributes blank.
- Save the resulting certificate to an accessible location, and close the web console.
To import the certificate into Exchange this must be done through the EMS. You need to use the Import-Exchange-Certificate-Path command, as shown below.
c:\windows\system32>Import-Exchange-Certificate-Path c:\temp\cert_answer.cer | Enable Exchangecertificate-Services “SMTP, IMAP, POP, IIS”
You should now check and make sure that the new certificate is in use. The easiest way to do this is by using the test-outlookwebservices command as below.
c:\windows\system32>test-outlookwebservices | FL
You should now see the details of the certificate. Easiest things to spot that it is the new certificate include the validity dates, or any SAN’s you may have included.
Now that you have ascertained that the certificate is installed, browse to the OWA service and view the certificate that is presented to ensure that it is in fact the new and current one.