Configuring Certificates in Exchange Server 2010
In many Organizations, Exchange Web Mail is being used with default self-signed certificates, which is not recommended. A self-signed certificate is a certificate issued by the computer itself. They are not trusted by default, so users get annoying warnings “There is a problem with this website’s security certificate, Continue to this website (not recommended). Apart from this, Outlook Anywhere service will not work with self-signed certificates. To fix this certificate issue, either we have to use Internal CA server or third party SSL certificate. I can recommend Go Daddy (www.godaddy.com). Here we can get SSL certificate for less than $50 per year. And third party SSL certificate are auto trusted by any web browser, so users will not get annoying warning messages. In this article, I will show you, configuring Exchange certificate using Internal CA Server (not the Public CA).
Install the AD CS Server role and configure it as an Enterprise root Certificate Authority (CA)
1. On the KTM-EX01-2K10, Open Server Manager.
2. On the Server Manager console pane, right-click Roles, and then click Add Roles. The Add Roles Wizard appears.
3. On the Before You Begin page, click Next.
4. On the Select Server Roles page, under Roles, select the Active Directory Certificate Services check box, and then click Next.
5. On the Introduction to Active Directory Certificate Services page, click Next.
6. On the Select Role Services page, ensure that the Certification Authority check box is selected and select Certification Authority Web Enrollment check box, and then click Next.
7. On the Specify Setup Type page, ensure that the Enterprise is selected and then click Next.
8. On the Specify CA Type page, ensure that Root is selected, and then click Next.
9. On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next.
10. On the Configure Cryptography for CA page, keep the default selections for Cryptographic Service Provider (CSP) and Hash Algorithm, ensure the Key character length to 2048. Click Next to continue.
11. On the Configure CA Name page, in the Common name for this CA box, type MSserverproCA, and then click Next.
12. On the Set Validity Period page, click Next.
13. On the Configure Certificate Database page, click Next.
14. On the Web Server (IIS) page, click Next.
15. On Select Role Services page, click Next.
16. On the Confirm Installation Selections page, click Install. The Installation Progress page appears.
17. On the Installation Results page, click Close.
Now we are going to Configure Exchange Server Certificate:
Prepare a Server Certificate request:
1. In the left pane, click Server Configuration. In the result pane, click KTM-EX01-2K10.
2. In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard.
3. On the Introduction page, type MSSERVERPRO Mail Certificate as a friendly name for the certificate, and then click Next.
4. On the Domain Scope page, click Next.
5. On the Exchange Configuration page, expand Client Access Server (Outlook Web App), and then select both the Outlook Web App is on the Intranet and Outlook Web App is on the Internet check boxes, type mail.msserverpro.com in the text box.
6. Expand Client Access server (Exchange ActiveSync), and then verify that Exchange Active Sync is enabled check box is selected and verify mail.msserverpro.com as External host name for your organization. Then ensure that both the Autodiscover used on the Internet check box and the Long URL option are selected, and click Next. In the Autodiscover URL to use field, delete all entries except for autodiscover.msserverpro.com, and then click Next.
7. On the Certificate Domains page, click Next.
8. On the Organization and Location page, enter the following information, and Click Browse, type CertificateRequest as the File name, and then click Save. Click Next.
9. Click New and then click Finish.
Request the certificate from the CA:
1. Open CertificateRequest.reg Open with Notepad. In Notepad window, click Ctrl+A to select all the text, and then click Ctrl+C to copy.
2. Open the Internet Explorer, Connect to https://ktm-ex01-2k10.msserverpro.com/certsrv . Click Continue to this website (not recommended)
3. Log on as Administrator using password of *******
4. On the Welcome page, click Request a certificate.
5. On the Request a Certificate page, click advanced certificate request.
6. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file.
7. On the Submit a Certificate Request or Renewal Request page, click in the Saved Request filed, and then press CTRL+V to paste the certificate request information into the field. In the Certificate Template drop-down list box, click Web Server, and then click Submit.
8. On the Web Access Confirmation dialog box, click Yes.
9. On the Certificate Issued page, click Download certificate.
10. In the File Download dialog box, click Save.
11. In the Save As dialog box, click Save.
12. In the Download Complete dialog box, click Open.
13. In the Certificate dialog box, on the Certification Path. Verify Certificate status, and then click OK.
Import and assign the IIS Exchange Service to the New Certificate:
1. In the Exchange Management console, click Server Configuration.
2. Click MSSERVER Mail Certificate, and in the Actions pane, click Complete Pending Request.
3. On the Complete Pending Request page, click Browse. Click certnew.cer and click Open. Click Complete.
4. On the Completion page, click Finish.
5. In the Exchange Management console, click Server Configuration. In the results pane, click KTM-EX01-2K8. In the bottom pane, click MSSERVERPRO Mail Certificate. In the Actions pane, click Assign Services to Certificate.
6. On the Select Servers page, verify that KTM-EX01-2K8 is listed, and then click Next.
7. On the Select Services page, select the Internet Information Services check box, click Next.
8. On the Assign Services page, Click Assign.
9. On the Completion page, click Finish.
Verify the Outlook Web Access :
1. On Client computer , Open Internet Explorer , type https://mail.msserverpro.com/owa and press enter.
Finally, we have successfully Installed and Configured Certificates in Exchange Server 2010 using Internal CA (Certificate Authority). I hope this article will help you confugure Certificates with Exchange 2010. However, using third party SSL Certificates is highly recommended.Beacuse third party SSL certificates are auto trusted by any web browser, users will not get annoying warning messages when accessing OWA from the Internet.
Thank You Sir this post is useful to me.
Very Informative post. Really help me out.