All posts tagged certificaten

Install a certificate

As you may know a self-signed certificate is installed by default in Exchange 2007. For a test environment this may be enough but it is nicer to have a real certificate for testing.

In this tutorial I will explain how you can generate a certificate request, request a certificate via a Windows 2008 CA en install the certificate on your Exchange 2007 server.

First we will check which certificate(s) has been installed, this can be done by using the Powershell command get-exchangecertificates. If you would like to have more details of the certificates then add the |fl, an example of the output is shown below:

Exchange 2007 - get-exchangecertificates |fl

As you can see the RouteCAType is none, and the value behind isselfsigned is true, this will tell you that this ia a slf-signed certificate. To request a certificate we need to create a certificate request (CSR), this can be done by using the following command new-exchangecertificate -generaterequest.

new-exchangecertificate -Generaterequest -Keysize 1024 -path c:\csr.txt -SubjectName “c=NL, l=Utrecht, s=Utrecht, o=Demo, cn=mail.demo.local” -DomainName autodiscover.demo.local, ex04, ex04.demo.local -PrivateKeyExportable:$true 

The example above will create a fil with the name csr.txt in the root of the c drive. The subjectnames contain, the country, the state, the city, the name of the organisation and the common name. The common name field contains the FQDN of the server which users use to connect to the server. The next parameter is -domainname this is used to specify the other domainnames (Subject Alternative Names). This will contain all internal and external names of the server for which you are going to use the certificate. With the last parameter privatekeyexportable we allow to export the private key.

When executing the command you will see the following:

Exchange 2007- csr created

When openening the explorer and browsing to the root of c you will find a file called cst.txt. This file can be opened with Notepad and the content needs to be copied, the content is needed when doing th request on the CA.

Content of CSR file

Now we have the CSR we can go to the web gui of the CA server.

Interface Windows 2008 CA server

A few options are available, because we want to request a certificate we choose the option request certificate.

CA server - advanced certificate request

On the next page you will find the option advanced certificate request.

CA - submit a certificate ...

On the next page you will have the ability to choose the option  submit a request by using a base-64 encoded CMC, this will make it possible to create a certificate using a CSR

On the next page we need the content of the CSR, it needs to be pasted in the first field. Then change the field below certificate template to webserver and click on th submit button.

Paste content of CSR file

This will generate the certificate.

Download created certificate

When the certificate is generated you can choose to download it as a DER of base64 certificate. In this case choose the bas64 type and click on the link download certificate.

A new window will be opened where you can choose the path to save the file. You can save this temporarily in an apart folder or in the root of the C drive.

Now we have downloaded the certificate we can import it using the import-exchangecertificate command.

import-exchangecertificate c:\certnew.cer

The command above will import the file certnew.cer which is located in the root of C.

Exchange 2007 - import-exchangecertificate

When the certificate is imported a short overview is displayed where you can see the thumbnail of the certificate and the services where the certificate will be used for. Default no services will be assigned to the new certificate, this needs to be done by using the enable-exchangecertificate command. To make your life easier copy the thumbnail so you can paste is later on.

Enable-ExchangeCertificate -ThumbPrint 0FFB564426DB5A48227F7CD0399E50E577A0A839 -Services “IIS”

The example above will active the certificate and will assign the IIS server to it. When you would like to do it the easy wat you can perform both steps at the same time:

import-exchangecertificate c:\certnew.cer | enable-exchangecertificate -Services “IIS”

When you are using multiple certificates it may be nice to specify a friendlyname so you can identify the certificate easy. This can be done by specifying the -friendlyname parameter behind the filename of the file you wish to import.

import-exchangecertificate c:\certnew.cer -friendlyname “CAS Web certificate”

When running the  get-exchangecertificate again you will see that two certificates are installed, one for IIS and the other one for the other services:

Exchange 2007 - certificate overview

As you can see shortnames are used in the column services:

  • W, web-services
  • I, imap
  • P, pop3
  • S, smtp

When getting the details again you will see that some things have changed:

Exchange certificate details

One of the things is IsSelfSigned this has changed to False and RootCAType is changed to Enterprise.

When opening OWA you won’t get the certificate warning, this is the case if you installed the root certificate of the CA.

Below you will find some links to pages containing more information about certificates:

DigiCert’s Exchange 2007 CSR Tool open
Exchange Ninja’s: New-exchangecertificate open
Sembee: Exchange 2007 and SSL Certificates open
Technet: New-exchangecertificate open

Event id 12014

Event id 12014 is caused by a problem with loading the certificate when setting up a SMTP connection which uses TLS for authentication.

There are several causes which could result in this issue:

  • the certificate is not enabled for SMTP
  • the server doesn’t have a certificate with the correct FQDN defined in the  subject or subject alternate name

The certificate needs to be place in the computer’s personal certificate store.

To check the certificates which are installed and the FQDN used by the connectors we need to use the Powershell commands below

Get-ExchangeCertificate | FL *, this will display a list of certificates available

Get-ReceiveConnector | FL name, fqdn, objectClass, this will display all receive connectors

Get-SendConnector | FL name, fqdn, objectClass, this will display all send connectors

The output of the Get-ExchangeCertificate will contain a field labeled services, this field described for which services the certificate can be used.  If you want to use the certificate for SMTP the value after services needs to contain SMTP just as you can see below.

The next step is checking the FQDN, this can be found after the label CertificateDomains. This will look like the screenshot below.

When the incorrect FQDN is displayed you will need to get a new certificate. A new certificate request can be generated by executing the following Powershell command New-ExchangeCertificate. Besides this type of certificate you can use a 3rd party or custom certificate. 

New-ExchangeCertificate -GenerateRequest -SubjectName “C=NL, O=Test, CN=mail.test.nl” -IncludeAcceptedDomains -DomainName mail.test.nl -Path c:\certificates\mail.test.nl.req

The command above will generate a certificate request for example an Edge server with the name mail.test.nl.

When you choose to use a 3rd party certificate or custom certificate which contains the correct FQDN but is not enabled for SMTP. Then you need to use the Enable-ExchangeCertificate Powershell command to enable it for SMTP.

Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services “SMTP”

With the command above we enable the certificate for SMTP.


Certificate request for SMTP

How to troubleshoot STARTTLS

As you may already know a lot of funtions from Exchange 2007 are using certificates. Microsoft has released a tool a while ago which can check certificates that are used for certificate based authentication for ActivSync. I just found it while surfing the internet en thought maybe it’s nice so that’s why I published it on my site. You can download the tool via the link below:


Outlook Web Access

It’s time for a new tutorial, this one goes about Outlook Web Access. In this tutorial I will discuss allthe possibilities that you can configure including some certificate things. I’ve seen there where some typo’s in some English tutorials sorry for that, I think I wanted to translate them to fast 😉 I will soon fix all the errors on it, sorry for the inconvenience.