Configuring Certificates for Client Access in Exchange Server 2016
After installation of Exchange Server 2016, it generates a self-signed SSL certificate that includes the name of the server. The self-signed is not suitable for production use because clients do not trust it. You need to replace this self-signed certificate with a valid SSL certificate from a public certificate authority (CA). When you create the certificate request, you need to ensure that it contains only names that can be resolved on the Internet so that a public CA can issue the certificate. After you obtain the certificate, you need to assign services to it. Here, you are installing Active Directory Certificate Services (AD CS) on Windows Server 2012 R2 for the testing purposed.
Viewing Self-signed Certificates in the Exchange Admin Center:
An Exchange Administrator can view existing certificates in the Exchange admin center. This helps the administrator to get the information about currently installed certificates whether they are self-signed, private or public certificates; when the certificates will expire and other certificate status information. Do the following steps to view the existing certificates in the Exchange Administration Center:
1. On KTM-EX1, Open Exchange Admin Center (EAC) with the URL https://mail.msserverpro.com/ecp, and sign in as Msserverpro\administrator where KTM-EX1 is the name of the Exchange Server 2016.
2. In the left navigation pane, click Servers and click the Certificates tab, which results in a view similar to the one shown below:
Installing Active Directory Certificate Services on Windows Server 2012 R2:
For the testing of CA certificate for client access service, you install Active Directory Certificate Service on Exchange Server 2016 which is not recommended in production environment.
1. Log On to KTM-EX1 as Msserverpro\administrator. Open the Server Manager, click Add roles and features.
2. On the Before You Begin page, click Next.
3. On the Select installation type page, click Next.
4. On the Select destination server page, click Next.
5. On the Select server roles page, select Active Directory Certificate Services.
6. When the Add Roles and Features Wizard displays, click Add Features, and then click Next.
7. On the Select features page, click Next.
8. On the Active Directory Certificate Services page, click Next.
9. On the Select role services page, ensure that Certification Authority is selected already, and then select Certification Authority Web Enrollment. When the Add Roles and Features Wizard displays, click Add Features, and then click Next.
10. On the Confirm installation selections page, click Install.
11. On the Installation progress page, after installation is successful, click Close.
Configure Certificate Services:
1. In the Server Manager, Click the Yellow icon and then Click the text Configure Active Directory Certificate Services on the destination server.
2. In the AD CS Configuration Wizard, on the Credentials page, click Next.
3. On the Role Services page, select both Certification Authority and Certification Authority Web Enrollment, and then click Next.
4. On the Setup Type page, select Enterprise CA, and then click Next.
5. On the CA Type page, click Root CA, and then click Next.
6. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
7. On the Cryptography for CA page, keep the default selections, and then click Next.
8. On the CA Name page, in the Common name for this CA box, click Next.
9. On the Validity Period page, change to 5 to 10 years and then click Next.
10. On the CA Database page, click Next.
11. On the Confirmation page, click Configure.
12. On the Results page, click Close.
Creating a shared network folder:
In order to save Exchange Server certreq.req file, you have to create network share folder with appropriate permissions. You can create share folder on file server or local to Exchange Server.
Do the following step to create shared folder with necessary permissions. Here, I have given Everyone Group to Full Control which is not recommend in production environment. But this folder is temporary till the CA configuration for the Exchange Server. After the configuration finished you can stop the Exchange share folder.
Do the following steps to create shared folder with permissions:
1. Create a new folder and name it ExchangeShare.
2. Right-click on the folder and select Properties.
3. Click on Sharing Tab, and then click Advance Sharing.
4. Click on Share this folder, click Permissions Tab and add the Everyone Group to Full Control.
5. Click OK.
Create Exchange Certificate Request:
1. On KTM-EX1, in the Exchange admin center, in the left navigation pane, click servers and click the certificates.
2. In the Select server box, if necessary, select KTM-EX1.msserverpro.com and then click New.
3. In the new Exchange certificate window, click Create a request for a certificate from a certification authority, and then click Next.
4. In the Friendly name for this certificate box, type mail.msserverpro.com and then click Next.
5. On the page containing the request for a wildcard certificate, do not make any changes, and click Next.
6. Click Browse.
7. In the Select a Server window, click KTM-EX1, and then click OK.
8. Click Next.
9. Review the list of domains and click Next.
10. In the list of names, click KTM-EX1 and click Remove.
11. Click msserverpro.com and then click Remove. In the new Exchange certificate window, click Next.
12. On the next page, fill in the fields as follows:
- Organization name: MSSERVERPRO, KIRTIPUR
- Department name: IT
- City/Locality: KTM
- State/Province: Bagmati
- Country/Region name: Nepal
13. Click Next.
14. On the next page, type \\KTM-EX1\ExchangeShare\certreq.req, and click Finish.
Submit Exchange Server Certificate Requests and Download Certificate:
1.Right Click On req select Open with click Notepad.
2. In Notepad, press Ctrl+A, and then press Ctrl+C.
3. Close Notepad.
4. On the Certificate Issued page, click Download certificate.In Internet Explorer, open a new tab. In the address bar, type http://ktm-ex1/certsrv and press Enter. On the Welcome page, click Request a certificate.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced certificate request page, click Submit a certificate request by using a base-64- encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file.
7. On the Submit a Certificate Request or Renewal Request page, in the Saved Request box, press Ctrl+V. In the Certificate Template box, choose Web Server and then click Submit.
8. On the Web Access Confirmation dialog box, click Yes.
9. On the Certificate Issued page, click Download certificate.
10. When prompted, to open or save certnew.cer, click Save > Save As, Type the file name and click Save.
11.In the left navigation pane, click Servers and click the Certificates tab, click mail.msserverpro.com and then click Complete in the details pane on the right.
12. In the complete pending request windows, in the File to import from box, specify the UNC path to file that was generated from the CA, type, \\KTM-EX1\ExchangeShare\ktmcertnew.cer and click OK.
Assigning the Certificates to Services:
With the certificate request completed, the next step is to associate Exchange Services to the certificate, such as IIS and SMTP, and so on. Do the following process:
1. Verify the msserverpro.com certificate STATUS is Valid.
2. In Exchange admin center, click on mail.msservepro.com and then click on Edit Toolbar.
3. In the mail.msservepror.com windows, click services. Select the SMTP and IIS check boxes, and click Save.
4. In the Warning windows, click Yes.
5. In the Select server list, click KTM-EX1.msserverpro.com, In the List view click on mail.msserverpro.com, in the Details pane verify Assigned to services to IIS and SMTP.
Verity that the certificate is in use:
1. On KTM-EX1, Open Internet Explorer. In the address bar, type https://mail.msserverpro.com/owa, and press Enter. In the address bar, click the lock icon and click View certificates. Verity that the Certificate status: This certificate is OK.
Finally, we have successfully Installed and Configured certificates in Exchange Server 2016 using Windows Server 2012 R2 Internal CA ( Certificate Authority). I hope this article will help you configure certificates with Exchange Server 2016. However, using third party SSL certificates is highly recommended. Because third party SSL certificates are auto trusted by any Web Browser, users will not get annoying warning messages when accessing Outlook Web App from the Internet.