As you may know a self-signed certificate is installed by default in Exchange 2007. For a test environment this may be enough but it is nicer to have a real certificate for testing.
In this tutorial I will explain how you can generate a certificate request, request a certificate via a Windows 2008 CA en install the certificate on your Exchange 2007 server.
First we will check which certificate(s) has been installed, this can be done by using the Powershell command get-exchangecertificates. If you would like to have more details of the certificates then add the |fl, an example of the output is shown below:
As you can see the RouteCAType is none, and the value behind isselfsigned is true, this will tell you that this ia a slf-signed certificate. To request a certificate we need to create a certificate request (CSR), this can be done by using the following command new-exchangecertificate -generaterequest.
new-exchangecertificate -Generaterequest -Keysize 1024 -path c:\csr.txt -SubjectName “c=NL, l=Utrecht, s=Utrecht, o=Demo, cn=mail.demo.local” -DomainName autodiscover.demo.local, ex04, ex04.demo.local -PrivateKeyExportable:$true
The example above will create a fil with the name csr.txt in the root of the c drive. The subjectnames contain, the country, the state, the city, the name of the organisation and the common name. The common name field contains the FQDN of the server which users use to connect to the server. The next parameter is -domainname this is used to specify the other domainnames (Subject Alternative Names). This will contain all internal and external names of the server for which you are going to use the certificate. With the last parameter privatekeyexportable we allow to export the private key.
When executing the command you will see the following:
When openening the explorer and browsing to the root of c you will find a file called cst.txt. This file can be opened with Notepad and the content needs to be copied, the content is needed when doing th request on the CA.
Now we have the CSR we can go to the web gui of the CA server.
A few options are available, because we want to request a certificate we choose the option request certificate.
On the next page you will find the option advanced certificate request.
On the next page you will have the ability to choose the option submit a request by using a base-64 encoded CMC, this will make it possible to create a certificate using a CSR
On the next page we need the content of the CSR, it needs to be pasted in the first field. Then change the field below certificate template to webserver and click on th submit button.
This will generate the certificate.
When the certificate is generated you can choose to download it as a DER of base64 certificate. In this case choose the bas64 type and click on the link download certificate.
A new window will be opened where you can choose the path to save the file. You can save this temporarily in an apart folder or in the root of the C drive.
Now we have downloaded the certificate we can import it using the import-exchangecertificate command.
The command above will import the file certnew.cer which is located in the root of C.
When the certificate is imported a short overview is displayed where you can see the thumbnail of the certificate and the services where the certificate will be used for. Default no services will be assigned to the new certificate, this needs to be done by using the enable-exchangecertificate command. To make your life easier copy the thumbnail so you can paste is later on.
Enable-ExchangeCertificate -ThumbPrint 0FFB564426DB5A48227F7CD0399E50E577A0A839 -Services “IIS”
The example above will active the certificate and will assign the IIS server to it. When you would like to do it the easy wat you can perform both steps at the same time:
import-exchangecertificate c:\certnew.cer | enable-exchangecertificate -Services “IIS”
When you are using multiple certificates it may be nice to specify a friendlyname so you can identify the certificate easy. This can be done by specifying the -friendlyname parameter behind the filename of the file you wish to import.
import-exchangecertificate c:\certnew.cer -friendlyname “CAS Web certificate”
When running the get-exchangecertificate again you will see that two certificates are installed, one for IIS and the other one for the other services:
As you can see shortnames are used in the column services:
- W, web-services
- I, imap
- P, pop3
- S, smtp
When getting the details again you will see that some things have changed:
One of the things is IsSelfSigned this has changed to False and RootCAType is changed to Enterprise.
When opening OWA you won’t get the certificate warning, this is the case if you installed the root certificate of the CA.
Below you will find some links to pages containing more information about certificates:
DigiCert’s Exchange 2007 CSR Tool open
Exchange Ninja’s: New-exchangecertificate open
Sembee: Exchange 2007 and SSL Certificates open
Technet: New-exchangecertificate open