Monday, April 24, 2017
 Now reading ...
Oct
19
Mon
Posted By Subodh on Monday, October 19, 2009
28160 Views 3 Comments


Godaddy UCC Certificates

A proof of how quickly time flies asserts itself around this time of the year when it is time to renew the SSL certificate used for SMTP, POP and IMAP services on Exchange Server 2007. It is surprising however that the documentation on how to do so is still scarce and hard to come by, nearly 3 years since I embarked on the original installation. What is more intriguing however -- I end up doing the same mistakes every year. This time, I’m going to document the  whole process.

Here’s how to use GoDaddy’s SSL certificates with Exchange Server 2007 and ISA Server 2006.

In the examples below, I am using Godaddy’s SSL certificates. This may be easily switched with another secure certificate provider.

 

 

 

Godaddy multiple domain SSL Certificates

What is a UCC Certificate?

Unified Communications Certificates allow an Exchange administrator extensive control over the Subject Alternative Name field so that as few or as many host names as are needed can be secured with just one SSL certificate. If a traditional SSL certificate were to be used for each one of the roles required for Exchange Server 2007, the cost could be not just prohibitive but the administration and installation/maintenance of such a system would be a logistical nightmare.

 

Why GoDaddy UCC Certificate?

I’ve tried many combinations. From Thawte, Digicert, Entrust to Godaddy. Your mileage may vary but for the right balance between cost, time invested, ease of use and acceptability between various browsers and clients, Godaddy seemed to work best (for me at least) unless you’re ready to shell out loads of $$$.

 

Which Exchange 2007 services can be can be secured with just one UCC Certificate?

Secure POP, Secure IMAP, Outlook Web Access (OWA), SMTP, Autodiscovery, ActiveSync and Outlook Anywhere can all be secured with just one certificate. This of course does not mean the IP addresses have to be different or same; There is no such restriction. Even the domain names (or subdomains) do not need to belong to one domain. Following are some valid examples :

mail.domain1.com

autodiscover.domain1.com

webmail.domain1.com

smtp.domain2.com

autodiscover.domain2.com

 

 

 

Getting things in order before requesting a Certificate (New or renewal)

Irrespective of which certificate provider you use, there are a few things that need to be in place before a certificate request can be made.

1. Common Name

Common name aka Organization name is by far the most important part of a certificate. Who is the certificate issued to? Unlike an in-house Enterprise CA, you’d want to choose the real name of your organization or entity. An example I can cite here: answer yourself this simple question; Who owns the domain?

 

2. Getting the domains right

The best approach to get all the right domains in is; Get the publicly visible domain as the principle (first) domain name and all other service aliases (FQDNs) next. Also include the hostname used on local intranet and you’d be saving tons of headaches later on.

 

3. Get the edge server domain name included, if possible

This is optional. If you do not run out of the domain limit, get the FQDN of your edge server included in the certificate request. If not, you can use an Enterprise CA from within your org to secure the communication.

 

4. Get the paperwork right

If you’re setting up for a registered legal entity, make sure your organization’s identity can be verified. If you’re a registrant of the domain, you would need to take off the domain privacy at least until the domain verification process can be completed. The admin contact on all the domain(s) included with the certificate request need to respond quickly and provide proof of legal existence, ownership and control.

 

5. Always begin the request at the Hub Transport Server

Underline this. The request must be made via the Exchange Management Shell on the Hub transport server. A lot of articles suggest using IIS to generate this request. Let me tell you otherwise. NO. It has to be the Hub transport server or you’d be dealing with nightmares (which of course can fixed) for a long time to come. Also remember the private key is stored on the machine that requests it unless you export it.

 

Requesting the Certificate

If you’re requesting a fresh certificate, Exchange Shell command would look something like …

New-ExchangeCertificate -DomainName exchange.mydomain1.com, edge.mydomain1.com, mydomain2.com 
    -FriendlyName MyOrgSecureCert -GenerateRequest:$True -Keysize 2048 
    -path c:\certificates\2009\request.req -privatekeyExportable:$true 
    -subjectName "c=us, o=FirstName LastName or origanization name, CN=mydomain1.com"
 

For a renewal, its even simpler. All you need is the thumbprint of the previous certificate. See the example below:

   1: Get-ExchangeCertificate | List
   2: Get-ExchangeCertificate -Thumbprint "3AAC135B5C5EE6AA5A95991FAC3353AE7019E799" | fl
   3: Get-ExchangeCertificate -Thumbprint "3AAC135B5C5EE6AA5A95991FAC3353AE7019E799"  | New-ExchangeCertificate 
         -GenerateRequest -Path C:\certificates\2009\request.req -PrivateKeyExportable $true

 

In the example above, substitute with the actual thumbprint of the certificate you’re renewing.

Once the above request(s) are complete, copy paste the CSR contents of the file onto Godaddy’s Certificate manager (request certificate interface).

Certificate Signing Request

Complete the wizard and the domain access verification procedure. Once your certificate is issued, login to your control panel and download the certificate

Download Issued Certificate

 

Import the certificate and Enable Services

On the Hub Transport server (we generated the CSR request on the Hub Transport), expand the downloaded zip file  and import the .crt file and enable it for services using:

   1: Import-ExchangeCertificate -Path "C:\certificates\2009\exchange.mydomain1.crt" | 
   2:     Enable-ExchangeCertificate -Services IMAP, POP, IIS, SMTP

Answer ‘YES’ to the overwrite existing certificate warning if you are renewing. The Hub transport role is now setup.

One the same machine, start MMC, Add remove snapin, Certificates, Local machine and select the just imported certificate, choose Export and remember to export the private key. Use a strong password to encrypt

Export private Key and the certificate

On the Edge Server, run the following commands to import and enable the newly created certificate for TLS

   1: Import-ExchangeCertificate -Path "C:\certificates\exported\exchange.mydomain1.com.pfx" -Password:(Get-Credential).password
   2: Get-ExchangeCertificate -Thumbprint "3AAC135B5C5EE6AA5A95991FAC3353AE7019E799" | Enable-ExchangeCertificate -Services SMTP

 

substituting the path, thumbprint appropriately and providing the password that you used. Make sure the pfx file is stored in a safe, secure place. Edge Transport Server will issue a warning like the one below:

Confirm and resubscribe Edge Server

 

Generate a new Edge Subscription

Confirm the overwrite above and issue the command below for generating a new Edge Subscription file

   1: New-EdgeSubscription -FileName "c:\EdgeServerSubscription-2009.xml"

 

 

Back on the Hub transport server, copy this file to local drive and import using:

   1: New-EdgeSubscription -FileName 'C:\EdgeServerSubscription-2009.xml' -Site 'my-site-name' -CreateInternetSendConnector $true 
   2:     -CreateInboundSendConnector $true

Remember to specify Sitename correctly in the command above.

 

That’s it. This completes the certificate setup.

 

If you’re using ISA server, import the certificates to (using MMC->Add remove Certificates snapin for local computer) Personal Store. Open up Firewall configuration and in the Toolbox-> Network Objects-> Web Listeners, select the Exchange FBA and OWA listeners, choose the certificates tab and verify that the most recent/correct certificate is selected. That’s it!

 

 

Credit where its due:

Exchange 2007, lessons learnt

Renewing Self signed Certificate

Exchange 2007 Certificates: Real world scenario

 

And yeah I don’t expect any comments for this post although I’d welcome and love them!

  
 You may also be interested in
  
 Comments & Discussions

  • Gravatar
    Jamie Gellar Wednesday, December 09, 2009 at 8:16 AM
    UCC SSL
    One of our subsidiaries has recently been involved in Unified Communications Certificates (UCC SSL) with SSL247, to unite all site domains under the one certificate with GoDaddy as the digital signature, which works fantasticly well. This blog has a really good read to it. Thanks for sharing!

  • Gravatar
    Chris Saturday, June 25, 2011 at 9:46 AM

    what if you are not using an edge server and its all on one box? Just skip the edge part?

    • Gravatar
      Subodh Saturday, June 25, 2011 at 10:31 AM

      Yes, in which case you can just skip the edge server certificate import.

  
Locations of visitors to this page Clicky Web Analytics 

Subodh's Blog Rating

 

DISCLAIMER

The opinion expressed
on this page 
is strictly that
of the page author
who has a
habit of animating
day-dreaming
and
fictionalizing
out of thin air.
 

The contents of this page
have not been
reviewed 
nor
approved
by 
Yahoo!

 Follow this blog
  
 Tag Cloud
  
Archives
 

Top 5 Posts of Last year
Copyright © 1995-2009 Subodh Shakya. All rights reserved.{Powered by SpeedBlog}