Creating a new SSL certificate in Exchange 2007 CAS
First As we’re going to generate a request for a new SAN certificate, we must use the New-ExchangeCertificate cmdlet for this purpose, as the IIS Manager isn’t capable of creating requests for SAN certificates. To do this launch the Exchange Management Shell, then type the following command (replace the names with your own):
New-ExchangeCertificate –GenerateRequest –SubjectName “C=dk, O=EHLO organization, CN=mailehlo.dk” –DomainName mail.ehlo.dk, autodiscover.ehlo.dk, cas01.ehlo.dk, cas02.ehlo.dk –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true
OR we can use the DigiCert's Exchange 2007 CSR Tool
Fill in the details, click Generate, then copy your CSR command into Exchange Management Shell.
Now just copy and paste this command into Exchange Management Shell. Your CSR will be written to c:\owa_yourdomain_com.csr.
New-ExchangeCertificate -GenerateRequest -Path c:\owa_yourdomain_com.csr -KeySize 2048 -SubjectName "c=IL, s=IL, l=TA, o=IT, ou=IT, cn=owa.yourdomain.com" -DomainName owa.yourdomain.com, exchange, exchange.yourdomain.com, autodiscover.yourdoamin.com -PrivateKeyExportable $True
Where do you paste this command?
Run the command in the Exchange Management Shell on your server:
What Subject Alternate Names Should I Include?
- Login to your Exchange 2007 server
- Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell
- Paste the New-ExchangeCertificate command from this page into the Exchange Management Shell window and press Enter
- Your CSR file should now be in C:\ on your server (as named by the -Path option in the command itself.)
If you have questions, see our page on choosing your SAN names. What kind of SSL certificate should you buy?
When you want SSL for Exchange 2007, your choices are Single certificates and SAN certificates—also known as Unified Communications certificates.
SAN Certificates give you control of the Subject Alternative Name field so you can protect multiple URLs with just one certificate. Microsoft recommends Unified Communications Certificates because they greatly simplify your SSL configuration.
After hitting Enter, the thumbprint for the new certificate request will be listed as shown in Figure 3.7.
Figure 3.7: Generating a request for a new SAN Certificate
Submitting the SAN Certificate to a Microsoft Certificate Authority
With the SAN SSL certificate request generated, we can submit it to our Microsoft CA, or almost that is. The reason I why I say so, is because by default a Microsoft CA cannot handle certificates with the SAN field properly. To fix this issue log on to the Domain Controller and open a command prompt window, then type the following command:
Certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2
After hitting Enter, you should see the old and new value as in Figure 3.8.
Figure 3.8: Changing the EditFlags on the Microsoft CA
Now restart Certificate Services (CertSVC) service on the Microsoft CA server (Domain Controller) in order to have the changes applied (Figure 3.9).
Figure 3.9: Restarting the Microsoft Certificate Service
We’re now ready to submit the certificate request to the Microsoft CA. One way to do this is to open a browser and type http://dc_name/certsrv. On the Welcome page, click Request a certificate (Figure 3.10).
Figure 3.10: Microsoft Certificates Welcome page
On the Request a Certificate page, click advanced certificate request (Figure 3.11).
Figure 3.11: Requesting a Certificate
On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file (Figure 3.12).
Figure 3.12: Selecting the second option on the Advanced Certificate Request page
Now paste the content of the certificate request file into the Base-64-encoded window as shown in Figure 3.13. Then select Web Server in the certificate template drop-down menu and click Submit.
Figure 3.13: Submitting the Certificate Request
*if the certificate is not working add this in the attribute san:dns=webmail.com&dns=autodiscover.com&dns=servername
The certificate has been issued and you can download a DER or Base 64 encoded version by clicking Download certificate or Download certificate chain. Let’s select Base 64 encoded followed by clicking Download certificate chain (Figure 3.14).
Figure 3.14: Downloading the issued Certificate
It’s time to import the issued certificate using the Import-ExchangeCertificate cmdlet. We do this by typing the following command:
Import-ExchangeCertificate –Path c:\certnew.p7b
The certificate has now been imported to the personal certificate store.
To verify the certificate looks like expected, let’s now type the following command:
Get-ExchangeCertificate -Thumbprint <thumbprint> | FL
Figure 3.16: SAN Certificate - Detailed Information
Finally we need to enable the certificate for the client services, our end-users will use to connect to their mailboxes. In this setup I’ll enable the certificate for OWA, EAS, Outlook Anywhere, POP3 and IMAP4. To do so we need to type:
Enable-ExchangeCertificate –Thumbprint <thumbprint> -Services “IIS, POP, IMAP”
Figure 3.17: Enabling the SAN certificate