Creating a new SSL certificate in Exchange 2007 CAS

First As we’re going to generate a request for a new SAN certificate, we must use the New-ExchangeCertificate cmdlet for this purpose, as the IIS Manager isn’t capable of creating requests for SAN certificates. To do this launch the Exchange Management Shell, then type the following command (replace the names with your own):

New-ExchangeCertificate –GenerateRequest –SubjectName “C=dk, O=EHLO organization, CN=mailehlo.dk” –DomainName mail.ehlo.dk, autodiscover.ehlo.dk, cas01.ehlo.dk, cas02.ehlo.dk –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true

OR we can use the  DigiCert's Exchange 2007 CSR Tool

Fill in the details, click Generate, then copy your CSR command into Exchange Management Shell.

  Information

Now just copy and paste this command into Exchange Management Shell. Your CSR will be written to c:\owa_yourdomain_com.csr.

:

New-ExchangeCertificate -GenerateRequest -Path c:\owa_yourdomain_com.csr -KeySize 2048 -SubjectName "c=IL, s=IL, l=TA, o=IT, ou=IT, cn=owa.yourdomain.com" -DomainName owa.yourdomain.com, exchange, exchange.yourdomain.com, autodiscover.yourdoamin.com -PrivateKeyExportable $True

Where do you paste this command?

Run the command in the Exchange Management Shell on your server:

1. Login to your Exchange 2007 server
2. Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell
3. Paste the New-ExchangeCertificate command from this page into the Exchange Management Shell window and press Enter
4. Your CSR file should now be in C:\ on your server (as named by the -Path option in the command itself.)

What Subject Alternate Names Should I Include?

If you have questions, see our page on choosing your SAN names.

What kind of SSL certificate should you buy?

When you want SSL for Exchange 2007, your choices are Single certificates and SAN certificates—also known as Unified Communications certificates.

SAN Certificates give you control of the Subject Alternative Name field so you can protect multiple URLs with just one certificate. Microsoft recommends Unified Communications Certificates because they greatly simplify your SSL configuration.

After hitting Enter, the thumbprint for the new certificate request will be listed as shown in Figure 3.7.

Figure 3.7: Generating a request for a new SAN Certificate

Submitting the SAN Certificate to a Microsoft Certificate Authority

With the SAN SSL certificate request generated, we can submit it to our Microsoft CA, or almost that is. The reason I why I say so, is because by default a Microsoft CA cannot handle certificates with the SAN field properly. To fix this issue log on to the Domain Controller and open a command prompt window, then type the following command:

Certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2

After hitting Enter, you should see the old and new value as in Figure 3.8.

Figure 3.8: Changing the EditFlags on the Microsoft CA

Now restart Certificate Services (CertSVC) service on the Microsoft CA server (Domain Controller) in order to have the changes applied (Figure 3.9).

Figure 3.9: Restarting the Microsoft Certificate Service

We’re now ready to submit the certificate request to the Microsoft CA. One way to do this is to open a browser and type http://dc_name/certsrv. On the Welcome page, click Request a certificate (Figure 3.10).

Figure 3.10: Microsoft Certificates Welcome page

 On the Request a Certificate page, click advanced certificate request (Figure 3.11).

Figure 3.11: Requesting a Certificate

On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file (Figure 3.12).

Figure 3.12: Selecting the second option on the Advanced Certificate Request page

Now paste the content of the certificate request file into the Base-64-encoded window as shown in Figure 3.13. Then select Web Server in the certificate template drop-down menu and click Submit.

Figure 3.13: Submitting the Certificate Request

*if the certificate is not working add this in the attribute san:dns=webmail.com&dns=autodiscover.com&dns=servername

The certificate has been issued and you can download a DER or Base 64 encoded version by clicking Download certificate or Download certificate chain. Let’s select Base 64 encoded followed by clicking Download certificate chain (Figure 3.14).

Figure 3.14: Downloading the issued Certificate

It’s time to import the issued certificate using the Import-ExchangeCertificate cmdlet. We do this by typing the following command:

Import-ExchangeCertificate –Path c:\certnew.p7b

The certificate has now been imported to the personal certificate store.

Figure 3.15

To verify the certificate looks like expected, let’s now type the following command:

 Get-ExchangeCertificate -Thumbprint <thumbprint> | FL

Figure 3.16: SAN Certificate - Detailed Information

Finally we need to enable the certificate for the client services, our end-users will use to connect to their mailboxes. In this setup I’ll enable the certificate for OWA, EAS, Outlook Anywhere, POP3 and IMAP4. To do so we need to type:

Enable-ExchangeCertificate –Thumbprint <thumbprint> -Services “IIS, POP, IMAP”

Figure 3.17: Enabling the SAN certificate