A proof of how quickly time flies asserts itself around this time of the year when it is time to renew the SSL certificate used for SMTP, POP and IMAP services on Exchange Server 2007. It is surprising however that the documentation on how to do so is still scarce and hard to come by, nearly 3 years since I embarked on the original installation. What is more intriguing however -- I end up doing the same mistakes every year. This time, I’m going to document the whole process.
Here’s how to use GoDaddy’s SSL certificates with Exchange Server 2007 and ISA Server 2006.
In the examples below, I am using Godaddy’s SSL certificates. This may be easily switched with another secure certificate provider.
What is a UCC Certificate?
Unified Communications Certificates allow an Exchange administrator extensive control over the Subject Alternative Name field so that as few or as many host names as are needed can be secured with just one SSL certificate. If a traditional SSL certificate were to be used for each one of the roles required for Exchange Server 2007, the cost could be not just prohibitive but the administration and installation/maintenance of such a system would be a logistical nightmare.
Why GoDaddy UCC Certificate?
I’ve tried many combinations. From Thawte, Digicert, Entrust to Godaddy. Your mileage may vary but for the right balance between cost, time invested, ease of use and acceptability between various browsers and clients, Godaddy seemed to work best (for me at least) unless you’re ready to shell out loads of $$$.
Which Exchange 2007 services can be can be secured with just one UCC Certificate?
Secure POP, Secure IMAP, Outlook Web Access (OWA), SMTP, Autodiscovery, ActiveSync and Outlook Anywhere can all be secured with just one certificate. This of course does not mean the IP addresses have to be different or same; There is no such restriction. Even the domain names (or subdomains) do not need to belong to one domain. Following are some valid examples :
Getting things in order before requesting a Certificate (New or renewal)
Irrespective of which certificate provider you use, there are a few things that need to be in place before a certificate request can be made.
1. Common Name
Common name aka Organization name is by far the most important part of a certificate. Who is the certificate issued to? Unlike an in-house Enterprise CA, you’d want to choose the real name of your organization or entity. An example I can cite here: answer yourself this simple question; Who owns the domain?
2. Getting the domains right
The best approach to get all the right domains in is; Get the publicly visible domain as the principle (first) domain name and all other service aliases (FQDNs) next. Also include the hostname used on local intranet and you’d be saving tons of headaches later on.
3. Get the edge server domain name included, if possible
This is optional. If you do not run out of the domain limit, get the FQDN of your edge server included in the certificate request. If not, you can use an Enterprise CA from within your org to secure the communication.
4. Get the paperwork right
If you’re setting up for a registered legal entity, make sure your organization’s identity can be verified. If you’re a registrant of the domain, you would need to take off the domain privacy at least until the domain verification process can be completed. The admin contact on all the domain(s) included with the certificate request need to respond quickly and provide proof of legal existence, ownership and control.
5. Always begin the request at the Hub Transport Server
Underline this. The request must be made via the Exchange Management Shell on the Hub transport server. A lot of articles suggest using IIS to generate this request. Let me tell you otherwise. NO. It has to be the Hub transport server or you’d be dealing with nightmares (which of course can fixed) for a long time to come. Also remember the private key is stored on the machine that requests it unless you export it.
Requesting the Certificate
If you’re requesting a fresh certificate, Exchange Shell command would look something like …
New-ExchangeCertificate -DomainName exchange.mydomain1.com, edge.mydomain1.com, mydomain2.com
-FriendlyName MyOrgSecureCert -GenerateRequest:$True -Keysize 2048
-path c:\certificates\2009\request.req -privatekeyExportable:$true
-subjectName "c=us, o=FirstName LastName or origanization name, CN=mydomain1.com"
For a renewal, its even simpler. All you need is the thumbprint of the previous certificate. See the example below:
1: Get-ExchangeCertificate | List
2: Get-ExchangeCertificate -Thumbprint "3AAC135B5C5EE6AA5A95991FAC3353AE7019E799" | fl
3: Get-ExchangeCertificate -Thumbprint "3AAC135B5C5EE6AA5A95991FAC3353AE7019E799" | New-ExchangeCertificate
-GenerateRequest -Path C:\certificates\2009\request.req -PrivateKeyExportable $true
In the example above, substitute with the actual thumbprint of the certificate you’re renewing.
Once the above request(s) are complete, copy paste the CSR contents of the file onto Godaddy’s Certificate manager (request certificate interface).
Complete the wizard and the domain access verification procedure. Once your certificate is issued, login to your control panel and download the certificate
Import the certificate and Enable Services
On the Hub Transport server (we generated the CSR request on the Hub Transport), expand the downloaded zip file and import the .crt file and enable it for services using:
1: Import-ExchangeCertificate -Path "C:\certificates\2009\exchange.mydomain1.crt" |
2: Enable-ExchangeCertificate -Services IMAP, POP, IIS, SMTP
Answer ‘YES’ to the overwrite existing certificate warning if you are renewing. The Hub transport role is now setup.
One the same machine, start MMC, Add remove snapin, Certificates, Local machine and select the just imported certificate, choose Export and remember to export the private key. Use a strong password to encrypt
On the Edge Server, run the following commands to import and enable the newly created certificate for TLS
1: Import-ExchangeCertificate -Path "C:\certificates\exported\exchange.mydomain1.com.pfx" -Password:(Get-Credential).password
2: Get-ExchangeCertificate -Thumbprint "3AAC135B5C5EE6AA5A95991FAC3353AE7019E799" | Enable-ExchangeCertificate -Services SMTP
substituting the path, thumbprint appropriately and providing the password that you used. Make sure the pfx file is stored in a safe, secure place. Edge Transport Server will issue a warning like the one below:
Generate a new Edge Subscription
Confirm the overwrite above and issue the command below for generating a new Edge Subscription file
1: New-EdgeSubscription -FileName "c:\EdgeServerSubscription-2009.xml"
Back on the Hub transport server, copy this file to local drive and import using:
1: New-EdgeSubscription -FileName 'C:\EdgeServerSubscription-2009.xml' -Site 'my-site-name' -CreateInternetSendConnector $true
2: -CreateInboundSendConnector $true
Remember to specify Sitename correctly in the command above.
That’s it. This completes the certificate setup.
If you’re using ISA server, import the certificates to (using MMC->Add remove Certificates snapin for local computer) Personal Store. Open up Firewall configuration and in the Toolbox-> Network Objects-> Web Listeners, select the Exchange FBA and OWA listeners, choose the certificates tab and verify that the most recent/correct certificate is selected. That’s it!
Credit where its due:
Exchange 2007, lessons learnt
Renewing Self signed Certificate
Exchange 2007 Certificates: Real world scenario
And yeah I don’t expect any comments for this post although I’d welcome and love them!