All posts tagged certificates

Exchange 2007: install a certificate

Exchange 2010 will propably be RTM soon, so before that a new tutorial for Exchange 2007.

This time about installing a certificate, this contains several steps:

  • creating the certificate request
  • generating the certificate with a CA server
  • install the certificate

The steps above will be described step by step and will help you through the process of installing a certificate on an Exchange 2007 CAS server.


Install a certificate

As you may know a self-signed certificate is installed by default in Exchange 2007. For a test environment this may be enough but it is nicer to have a real certificate for testing.

In this tutorial I will explain how you can generate a certificate request, request a certificate via a Windows 2008 CA en install the certificate on your Exchange 2007 server.

First we will check which certificate(s) has been installed, this can be done by using the Powershell command get-exchangecertificates. If you would like to have more details of the certificates then add the |fl, an example of the output is shown below:

Exchange 2007 - get-exchangecertificates |fl

As you can see the RouteCAType is none, and the value behind isselfsigned is true, this will tell you that this ia a slf-signed certificate. To request a certificate we need to create a certificate request (CSR), this can be done by using the following command new-exchangecertificate -generaterequest.

new-exchangecertificate -Generaterequest -Keysize 1024 -path c:\csr.txt -SubjectName “c=NL, l=Utrecht, s=Utrecht, o=Demo, cn=mail.demo.local” -DomainName autodiscover.demo.local, ex04, ex04.demo.local -PrivateKeyExportable:$true 

The example above will create a fil with the name csr.txt in the root of the c drive. The subjectnames contain, the country, the state, the city, the name of the organisation and the common name. The common name field contains the FQDN of the server which users use to connect to the server. The next parameter is -domainname this is used to specify the other domainnames (Subject Alternative Names). This will contain all internal and external names of the server for which you are going to use the certificate. With the last parameter privatekeyexportable we allow to export the private key.

When executing the command you will see the following:

Exchange 2007- csr created

When openening the explorer and browsing to the root of c you will find a file called cst.txt. This file can be opened with Notepad and the content needs to be copied, the content is needed when doing th request on the CA.

Content of CSR file

Now we have the CSR we can go to the web gui of the CA server.

Interface Windows 2008 CA server

A few options are available, because we want to request a certificate we choose the option request certificate.

CA server - advanced certificate request

On the next page you will find the option advanced certificate request.

CA - submit a certificate ...

On the next page you will have the ability to choose the option  submit a request by using a base-64 encoded CMC, this will make it possible to create a certificate using a CSR

On the next page we need the content of the CSR, it needs to be pasted in the first field. Then change the field below certificate template to webserver and click on th submit button.

Paste content of CSR file

This will generate the certificate.

Download created certificate

When the certificate is generated you can choose to download it as a DER of base64 certificate. In this case choose the bas64 type and click on the link download certificate.

A new window will be opened where you can choose the path to save the file. You can save this temporarily in an apart folder or in the root of the C drive.

Now we have downloaded the certificate we can import it using the import-exchangecertificate command.

import-exchangecertificate c:\certnew.cer

The command above will import the file certnew.cer which is located in the root of C.

Exchange 2007 - import-exchangecertificate

When the certificate is imported a short overview is displayed where you can see the thumbnail of the certificate and the services where the certificate will be used for. Default no services will be assigned to the new certificate, this needs to be done by using the enable-exchangecertificate command. To make your life easier copy the thumbnail so you can paste is later on.

Enable-ExchangeCertificate -ThumbPrint 0FFB564426DB5A48227F7CD0399E50E577A0A839 -Services “IIS”

The example above will active the certificate and will assign the IIS server to it. When you would like to do it the easy wat you can perform both steps at the same time:

import-exchangecertificate c:\certnew.cer | enable-exchangecertificate -Services “IIS”

When you are using multiple certificates it may be nice to specify a friendlyname so you can identify the certificate easy. This can be done by specifying the -friendlyname parameter behind the filename of the file you wish to import.

import-exchangecertificate c:\certnew.cer -friendlyname “CAS Web certificate”

When running the  get-exchangecertificate again you will see that two certificates are installed, one for IIS and the other one for the other services:

Exchange 2007 - certificate overview

As you can see shortnames are used in the column services:

  • W, web-services
  • I, imap
  • P, pop3
  • S, smtp

When getting the details again you will see that some things have changed:

Exchange certificate details

One of the things is IsSelfSigned this has changed to False and RootCAType is changed to Enterprise.

When opening OWA you won’t get the certificate warning, this is the case if you installed the root certificate of the CA.

Below you will find some links to pages containing more information about certificates:

DigiCert’s Exchange 2007 CSR Tool open
Exchange Ninja’s: New-exchangecertificate open
Sembee: Exchange 2007 and SSL Certificates open
Technet: New-exchangecertificate open

As you may already now you can use the New-ExchangeCertificate Powershell to add a new certificate to a few services of Exchange or create a certificate request. During a visit on the MsExchange forum I found a post of somebody who had issues with this. Despite the credentials he used to login he got the message Access is denied.

After some research on the internet I found the solution. The problem was the c:\documents and settings\all users\application data\microsoft\crypto\rsa\machinekeys directory, this is used for saving certificates, even if the creation fails. In this case the network service only had the good rights to access the folder. When you have a look at the folder you will see that the administrator has full control on the folder itself but not on the sub-folders and files in it. Changing it to this option fixed the issue and the command could be executed succesfull

Besided this fix you will find several other pages who say that giving the network service full control to the folder also fixes this issues.

Outlook Web Access

It’s time for a new tutorial, this one goes about Outlook Web Access. In this tutorial I will discuss allthe possibilities that you can configure including some certificate things. I’ve seen there where some typo’s in some English tutorials sorry for that, I think I wanted to translate them to fast 😉 I will soon fix all the errors on it, sorry for the inconvenience.