Sole's Blog

The easiest way (I love easy!) to order and install an SSL certificate on Exchange 2007, is to order a SAN (Subject Alternative Name) certificate with AutoCSR meaning you dont have to create a CSR but instead get a certificate backup file (PKCS#12, P12. PFX). You also save time with the SAN because you only use one certificate for all services and can move services from one domain to another in the certificate with no problems.

Make sure you get a SAN certificate including the full domain name(s) you use to access Outlook Web Access, Outlook Anywhere, Autodiscover and any internal servernames using the certificate (usually free).

The Certificate you order should contain something like this:

• mail.sole.dk and/or owa.sole.dk – for Outlook Web Access
• autodiscover.sole.dk and any other e-mail domain you use with Autodiscover/OA.
• MYSERVER01 and MyServer01.domain.local - and any other internal servername that will be using the certificate

Personally I setup servers to respond only to OWA and ActiveSync on the mail./owa. domain, and use all other services like Outlook Anywhere, etc. on the autodiscover. address, this way I can use Forms Based Authentication/Basic with my OWA/ActiveSync website, and NTLM with my other services. You can see more information about this from my previous blogs here. Some people argue for and against having internal server names in the certificate, but I figure if they are free anyways, and might help why not add them – and if security is so much an issue that internal server names must not be revealed, you have other much bigger problems anyway.

Now some simple commands to manipulate Exchange 2007 SSL certificates. (Stolen from the danish Exchange 2007 guide on FairSSL, I co-authored the manual)

Import and Activate SSL Certificate backup file in 3 easy steps.

1. Open an Exchange Management Shell by right clicking the link and selecting “Run As Administrator”, make sure you use an account that is a member of the groups “Exchange Administrators” and “Administrators” on the local server.
2. Run this command: Import-ExchangeCertificate -Path c:\certificates\mycert.pfx -Password (read-host “Password” -AsSecureString) | Enable-ExchangeCertificate -Services IIS, IMAP, SMTP, POP, UM, None
   (Make sure you edit the path to your certificate backup file (.pfx or .p12) and any services you want or dont want the certificate activated on)
3. After you run this command, you will be prompted to enter your certificate backup file password, that either you or your certificate issuer put on the backup file.

List SSL certificates installed in Exchange 2007

1. Open an Exchange Management Shell by right clicking the link and selecting “Run As Administrator”, make sure you use an account that is a member of the groups “Exchange Administrators” and “Administrators” on the local server.
2. Run this command: Get-ExchangeCertificate
3. For more information about the certificates. Run this command: Get-ExchangeCertificate | fl

Export an installed SSL certificate

1. Open an Exchange Management Shell by right clicking the link and selecting “Run As Administrator”, make sure you use an account that is a member of the groups “Exchange Administrators” and “Administrators” on the local server.
2. Use the listing of certificates to copy the thumbprint for the certificate you want to export.
3. Run this command: Export-ExchangeCertificate -Thumbprint PasteThumbprintHere -Path c:\certificates\mycert.pfx -Password (read-host “Password” -AsSecureString)
   (remember to edit the path and thumbprint.)
4. After you run this command, you will be prompted to input the password to protect your SSL certificate backup file with.

Activate installed certificate for Exchange 2007 service

1. Open an Exchange Management Shell by right clicking the link and selecting “Run As Administrator”, make sure you use an account that is a member of the groups “Exchange Administrators” and “Administrators” on the local server.
2. Use the listing of certificates to copy the thumbprint for the certificate you want to export.
3. Run this command: Enable-ExchangeCertificate -Thumbprint PasteThumbprintHere -Services IIS, IMAP, SMTP, POP, UM, None
   (remember to edit the services you want this certificate used for and thumbprint.)

Related posts:

1. How to configure ISA 2006 with FBA for OWA and NTLM for Outlook Anywhere and Autodiscover in Exchange 2007 Configuration of Exchange 2007 with Outlook Web Access (OWA), Outlook Anywhere (OA), ActiveSync and Autodiscover can add grey...
2. How to use OWA for both Exchange 2003/2007 during migration and extra things to consider A customer asked me if it was possible during migration from Exchange 2003 to Exchange 2007 to use...
3. How to fix Exchange 2007 RPC over HTTPS/Outlook Anywhere on Windows Server 2008 A small but anoying bug in Microsoft Exchange 2007 in combination with Windows Server 2008, will under certain...
4. How to configure Exchange 2007 and ISA with FBA and NTLM, without loosing ActiveSync on the way Basicly we are here, because we want to use Forms Based Authentication (FBA) for our Outlook Web Access...
5. How to get external SAN UC SSL certificates that work with OCS 2007 R2 and avoid having to read 100 blog posts! Been reading up on external and internal DNS names used by OCS 2007 R2 ? Your head stopped...