David Dan

Microsoft Products and Technologies

Creating a new SSL certificate in Exchange 2007 CAS

First As we’re going to generate a request for a new SAN certificate, we must use the New-ExchangeCertificate cmdlet for this purpose, as the IIS Manager isn’t capable of creating requests for SAN certificates. To do this launch the Exchange Management Shell, then type the following command (replace the names with your own):

New-ExchangeCertificate –GenerateRequest –SubjectName “C=dk, O=EHLO organization, CN=mailehlo.dk” –DomainName mail.ehlo.dk, autodiscover.ehlo.dk, cas01.ehlo.dk, cas02.ehlo.dk –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true

OR we can use the  DigiCert's Exchange 2007 CSR Tool

Fill in the details, click Generate, then copy your CSR command into Exchange Management Shell.

  Information

Now just copy and paste this command into Exchange Management Shell. Your CSR will be written to c:\owa_yourdomain_com.csr.

:
New-ExchangeCertificate -GenerateRequest -Path c:\owa_yourdomain_com.csr -KeySize 2048 -SubjectName "c=IL, s=IL, l=TA, o=IT, ou=IT, cn=owa.yourdomain.com" -DomainName owa.yourdomain.com, exchange, exchange.yourdomain.com, autodiscover.yourdoamin.com -PrivateKeyExportable $True

Where do you paste this command?

Run the command in the Exchange Management Shell on your server:

  1. Login to your Exchange 2007 server
  2. Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell
  3. Paste the New-ExchangeCertificate command from this page into the Exchange Management Shell window and press Enter
  4. Your CSR file should now be in C:\ on your server (as named by the -Path option in the command itself.)
What Subject Alternate Names Should I Include?

If you have questions, see our page on choosing your SAN names.

What kind of SSL certificate should you buy?

When you want SSL for Exchange 2007, your choices are Single certificates and SAN certificates—also known as Unified Communications certificates.

SAN Certificates give you control of the Subject Alternative Name field so you can protect multiple URLs with just one certificate. Microsoft recommends Unified Communications Certificates because they greatly simplify your SSL configuration.

After hitting Enter, the thumbprint for the new certificate request will be listed as shown in Figure 3.7.


Figure 3.7: Generating a request for a new SAN Certificate

Submitting the SAN Certificate to a Microsoft Certificate Authority

With the SAN SSL certificate request generated, we can submit it to our Microsoft CA, or almost that is. The reason I why I say so, is because by default a Microsoft CA cannot handle certificates with the SAN field properly. To fix this issue log on to the Domain Controller and open a command prompt window, then type the following command:

Certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2

After hitting Enter, you should see the old and new value as in Figure 3.8.


Figure 3.8: Changing the EditFlags on the Microsoft CA

Now restart Certificate Services (CertSVC) service on the Microsoft CA server (Domain Controller) in order to have the changes applied (Figure 3.9).


Figure 3.9: Restarting the Microsoft Certificate Service

We’re now ready to submit the certificate request to the Microsoft CA. One way to do this is to open a browser and type http://dc_name/certsrv. On the Welcome page, click Request a certificate (Figure 3.10).


Figure 3.10: Microsoft Certificates Welcome page

 On the Request a Certificate page, click advanced certificate request (Figure 3.11).


Figure 3.11: Requesting a Certificate

On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file (Figure 3.12).


Figure 3.12: Selecting the second option on the Advanced Certificate Request page

Now paste the content of the certificate request file into the Base-64-encoded window as shown in Figure 3.13. Then select Web Server in the certificate template drop-down menu and click Submit.


Figure 3.13: Submitting the Certificate Request

*if the certificate is not working add this in the attribute san:dns=webmail.com&dns=autodiscover.com&dns=servername

The certificate has been issued and you can download a DER or Base 64 encoded version by clicking Download certificate or Download certificate chain. Let’s select Base 64 encoded followed by clicking Download certificate chain (Figure 3.14).


Figure 3.14: Downloading the issued Certificate

It’s time to import the issued certificate using the Import-ExchangeCertificate cmdlet. We do this by typing the following command:

Import-ExchangeCertificate –Path c:\certnew.p7b

The certificate has now been imported to the personal certificate store.


Figure 3.15

To verify the certificate looks like expected, let’s now type the following command:

 Get-ExchangeCertificate -Thumbprint <thumbprint> | FL


Figure 3.16: SAN Certificate - Detailed Information

Finally we need to enable the certificate for the client services, our end-users will use to connect to their mailboxes. In this setup I’ll enable the certificate for OWA, EAS, Outlook Anywhere, POP3 and IMAP4. To do so we need to type:

Enable-ExchangeCertificate –Thumbprint <thumbprint> -Services “IIS, POP, IMAP”


Figure 3.17: Enabling the SAN certificate

 

 

 

 
 
 
Posted: Jun 22 2009, 10:40 AM by dand | with 4 comment(s)
תגים:

Comments

PolarBear said:

Great write up and it is easy to follow.  I am encountering an issue though when following this procedure.  The imported certificate does not seem to have the private key.

After importing the certificate to the CAS server (using Import-ExchangeCertificate cmdlet) and noting the thumbprint, I get the following error when trying to enable the certificate for IIS (using Enable-ExchangeCertificate), I get the following error:

[PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint 5A1???BEE62E6C12

708DF062CBA7AEBBD4EB14A2 -Services "IIS,POP,IMAP"

Enable-ExchangeCertificate : The certificate with thumbprint 5A1???BEE62E6C1270

8DF062CBA7AEBBD4EB14A2 was found but is not valid for use with Exchange Server

(reason: PrivateKeyMissing).

At line:1 char:27

+ Enable-ExchangeCertificate  <<<< -Thumbprint 5A1???BEE62E6C12708DF062CBA7AEBB

D4EB14A2 -Services "IIS,POP,IMAP"

A quick look in the personal store for the Local Computer Certificates store shows that although the certificate is there, no little key is shown on the icon to indicate the presence of a private key.

FYI - When generating the certificate request, I remembered to use the -privatekeyexportable:$true switch on the New-ExchangeCertificate cmdlet.

Any idea what is behind this problem?

# July 17, 2009 6:15 PM

pramirezg said:

Excellent write up!!!!  I've been digging around for more than 5 hours trying to find an article for creating the SSL certificate until I found this one that clearly opened up my eyes and voila!!! just worked perfectly!!!

Thanks so much and keep up the good work!!!!

# August 18, 2009 11:01 PM

Martin Sieber said:

Hi Dan

A small comment on the EditFlags:

Afaik, you would need to run the following command on te CA to set the flag:

Certutil –setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

(Use a plus instead a minus). Your command will remove the flag from the CA if I'm not mistaken.

Regards,

Martin

# August 19, 2009 12:47 AM

ssl247.com@googlemail.com said:

One of the better write-ups to creating a cert.file! My business has recently utilised a <a href="http://www.ssl247.com">Unified Communications SSL</a> provider like SSL247 to cover all our domain names under one certificate on the Microsoft Exchange 2007 server. But this is good extensive documentation and walkthrough to understand the process!

# December 9, 2009 4:46 PM
Leave a Comment

(required) 

(required) 

(optional)

(required) 


Enter the numbers above: