Create Certificate for Exchange 2007 Servers using Windows CA

20 במרץ 2008

13 תגובות

Create Certificate for Exchange 2007 Servers using Windows CA
Exchange 2007 uses SSL for OWA and SMTP, the exchange certificate created by the installation is not suitable for Exchange 2007 use.



You need to create a new certificate using SAN (Subject Alternate Name) extension to support the multi value names used by Exchange servers and clients.



Step1: Use Exchange Management Shell to create the CSR (Certificate request)



New-ExchangeCertificate -GenerateRequest – Domainname mail.demo.com, ServerName.internal.com, autodiscover.demo.com, ServerName -FriendlyName mail.demo.com -PrivateKeyExportable: $True -path c:\Cert.req



The first name in the certificate should be your external server name, the certificate should include the servers FQDN, NetBIOS Name and Autodiscovery for Outlook 2007 users.



Step2: Open the CSR file created in the previous step and copy it.


image
Open you CA web page and click the Request a certificate


image
Click the advanced certificate request


image
Select the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.


image
Paste the CSR from step1 and select the web server template


image
Clicks submit if this is an Enterprise CA your request will be processed immediately else issue the certificate manually and downloaded it for the CA.


image
Click download and save the file.



Step3: Now import the certificate to the Exchange server using Exchange Management Shell
Import-ExchaneCertificate -path c:\hdhdh.cer | Enable-ExchangeCertificate -Services IIS, SMTP



Now the certificate should look like this:



The subject should include you external server name (if exposed to the internet)


image
The Subject Alternate Name should include all names supplied in the request


image



Good Luck
Ronen Gabbay

הוסף תגובה
facebook linkedin twitter email

כתיבת תגובה

האימייל לא יוצג באתר. שדות החובה מסומנים *

13 תגובות

  1. Ahood Kappon (Udi)12 באוגוסט 2008 ב 1:11

    Ronen,

    You have 2 typing mistaked at the Demos , Wich cause it to fail:

    1st , There is a space after th "-" sign before the Domainname

    New-ExchangeCertificate -GenerateRequest – Domainname mail.demo.com, ServerName.internal.com, autodiscover.demo.com, ServerName -FriendlyName mail.demo.com -PrivateKeyExportable: $True -path c:\Cert.req

    2nd, There is a missing "G" at the
    Import-ExchaneCertificate
    ^

    Import-ExchaneCertificate -path c:\hdhdh.cer | Enable-ExchangeCertificate -Services IIS, SMTP

    Regards,

    Udi

    הגב
  2. alex19 בנובמבר 2008 ב 16:07

    מה לגבי SERVER 2008 תוכל לתת הסבר איך עושים את זה פשוט הממשק של ה CA לא אותו דבר

    הגב
  3. Asslan Khalil10 במרץ 2009 ב 0:25

    I have imported the certificate but did not enable it.
    How can I enable the certificate, or how can I remove the certifiate so I can re-import it and enable it.

    הגב
  4. Asslan Khalil10 במרץ 2009 ב 0:32

    How can I remove the certifiate after importing the certificate to the exchange. NOTE, I did not enable the certificate yet.

    הגב
  5. Asslan Khalil10 במרץ 2009 ב 0:45

    איך אני מוחק את ה- Certificate אחרי היבוא ל-Exchange
    עוד לא הפעלתי enable התעודה.

    הגב
  6. dude25 ביוני 2009 ב 16:47

    ל-Exchange הימעוהסבר איך וחק את פשוט הממשק

    הגב
  7. Nathaniel Kabal3 באוגוסט 2009 ב 0:05

    Thank you much. Helped me to solve my dilemma.

    הגב
  8. Anil25 במרץ 2010 ב 6:25

    Good post in very easy stpes, Gr8 Job…

    הגב
  9. Doug6 באפריל 2010 ב 17:22

    Thanks! Easier than the MS manual.. Worked first time! Ta muchly!!

    הגב
  10. Rello19 באפריל 2010 ב 1:48

    Ahood Kappon THANK YOU I GOT IT FROM YOUR ADVICE

    הגב
  11. Yann6 במאי 2011 ב 18:39

    !thanks this saved my day

    הגב