ssl cert image

Create A Self Signed SSL Cert For Exchange Guide

If you are stuck with the only option of running exchange from a locally installed CA rather than a purchased SSL cert, you will need to generate the certificate through the web console using the following steps. I do recommend you use a UCC cert from GoDaddy however if you cannot then read on!

  • Browse to your Certificate services web console, via https://server.local/certsrv
  • Select a new request, and choose the advanced option on the next screen.
  • Submit a certificate request by using a base 64 encoded CMC or PKS #10 file.
  • Open the certificate request that you generated from my previous blog post. This just needs to be opened in your favourite text editor.
  • Copy the contents of the file and paste it into the request field on the web console. Select the server type as a web server, and leave all other attributes blank.
  • Save the resulting certificate to an accessible location, and close the web console.

To import the certificate into Exchange this must be done through the EMS. You need to use the Import-Exchange-Certificate-Path command, as shown below.

 c:\windows\system32>Import-Exchange-Certificate-Path c:\temp\cert_answer.cer | Enable Exchangecertificate-Services “SMTP, IMAP, POP, IIS”

You should now check and make sure that the new certificate is in use. The easiest way to do this is by using the test-outlookwebservices command as below.

 c:\windows\system32>test-outlookwebservices | FL

You should now see the details of the certificate. Easiest things to spot that it is the new certificate include the validity dates, or any SAN’s you may have included.

Now that you have ascertained that the certificate is installed, browse to the OWA service and view the certificate that is presented to ensure that it is in fact the new and current one.

Allen White

Allen is a Consultant for ITPS in the North East of England and holds the following accreditations. MCSA, MCSE, MCTS, MCITP, CCA, CCSP, VCP 4,5 and HP ASE, AIS - Network Infrastructure.

Comments (2)

  • Avatar

    Lee

    |

    Hi
    I am in search of some help with implementing Outlook Anywhere for a new client.

    They currently access mail remotely via OWA. We have one backend (Hub T) server and one frontend (CAS) server.
    I have enabled Outlook Anywhere on Exchange and will be purchasing a UC certificate in the morning, however, I have a couple of questions I need clarifying as this is the first time I have implemented this service.

    When applying for the SSL UCC will I be asked to enter all of the different company domains hosted by the client when applying for the cert?
    What host records need to be in place on the internal DNS server (DC)?
    What external DNS configure needs to be in place?
    And any further tips welcome.

    Kind Regards
    Lee

    Reply

    • Avatar

      Allen White

      |

      Hi Lee,

      Whem you access OWA and you are using an SSL you acces the server through its outside OWA address or internal OWA address or if using a client like outlook then you use its internal domain name. So lets say external its…

      https://mail.companyname/owa

      internal its https://myexchangeserver/owa

      and for toutlook its

      my exchangserver.

      In your situation you have your external a record that points to the CAS server, the internal cas servers name and the internal hub servers name. Ontop of this you need to register autodiscover.yourinternaldomain.local as this is used by the clients to configure outlook. So in total that is 5 SANS.

      These are called SAN`s or subject alternative names( basically any way your exchange servers are referenced. ). When you create your certificate request then you need to specify your internal, external and server hostname. Digicert have a tool that creates your certificate request. Even if you do not use them to buy the cert then I would still use it.

      https://www.digicert.com/easy-csr/exchange2010.htm

      Exchange 2010 also has the inbuilt one you can use.
      So, you need an external a record that points to your firewall (https://mail.companyname/). that routes to exchange. The internal DNS will be fine if the servers are built and you need to create an internal autodiscover record. Then simply create the SSL.

      Anymore questions then ask away 🙂

      Allen

      Reply

Leave a comment

Categories

Vote!

What Web Browser Do You Use?

View Results

Loading ... Loading ...

Vote!

What do you prefer..VMware or Hyper-V?

View Results

Loading ... Loading ...