How to install a SSL certificate backup file on Exchange 2007 and still have time for facebook

The easiest way (I love easy!) to order and install an SSL certificate on Exchange 2007, is to order a SAN (Subject Alternative Name) certificate with AutoCSR meaning you dont have to create a CSR but instead get a certificate backup file (PKCS#12, P12. PFX). You also save time with the SAN because you only use one certificate for all services and can move services from one domain to another in the certificate with no problems.

Make sure you get a SAN certificate including the full domain name(s) you use to access Outlook Web Access, Outlook Anywhere, Autodiscover and any internal servernames using the certificate (usually free).

The Certificate you order should contain something like this:

  • mail.sole.dk and/or owa.sole.dk – for Outlook Web Access
  • autodiscover.sole.dk and any other e-mail domain you use with Autodiscover/OA.
  • MYSERVER01 and MyServer01.domain.local – and any other internal servername that will be using the certificate

Personally I setup servers to respond only to OWA and ActiveSync on the mail./owa. domain, and use all other services like Outlook Anywhere, etc. on the autodiscover. address, this way I can use Forms Based Authentication/Basic with my OWA/ActiveSync website, and NTLM with my other services. You can see more information about this from my previous blogs here. Some people argue for and against having internal server names in the certificate, but I figure if they are free anyways, and might help why not add them – and if security is so much an issue that internal server names must not be revealed, you have other much bigger problems anyway.

Now some simple commands to manipulate Exchange 2007 SSL certificates. (Stolen from the danish Exchange 2007 guide on FairSSL, I co-authored the manual)

Exchange Management Shell - Run as administratorImport and Activate SSL Certificate backup file in 3 easy steps.

  1. Open an Exchange Management Shell by right clicking the link and selecting “Run As Administrator”, make sure you use an account that is a member of the groups “Exchange Administrators” and “Administrators” on the local server.
  2. Run this command: Import-ExchangeCertificate -Path c:\certificates\mycert.pfx -Password (read-host “Password” -AsSecureString) | Enable-ExchangeCertificate -Services IIS, IMAP, SMTP, POP, UM, None
    (Make sure you edit the path to your certificate backup file (.pfx or .p12) and any services you want or dont want the certificate activated on)
  3. After you run this command, you will be prompted to enter your certificate backup file password, that either you or your certificate issuer put on the backup file.
List currently installed SSL certificates 
List SSL certificates installed in Exchange 2007

List SSL certificates installed in Exchange 2007

  1. Open an Exchange Management Shell by right clicking the link and selecting “Run As Administrator”, make sure you use an account that is a member of the groups “Exchange Administrators” and “Administrators” on the local server.
  2. Run this command: Get-ExchangeCertificate
  3. For more information about the certificates. Run this command: Get-ExchangeCertificate | fl

Export an installed SSL certificate

  1. Open an Exchange Management Shell by right clicking the link and selecting “Run As Administrator”, make sure you use an account that is a member of the groups “Exchange Administrators” and “Administrators” on the local server.
  2. Use the listing of certificates to copy the thumbprint for the certificate you want to export.
  3. Run this command: Export-ExchangeCertificate -Thumbprint PasteThumbprintHere -Path c:\certificates\mycert.pfx -Password (read-host “Password” -AsSecureString)
    (remember to edit the path and thumbprint.)
  4. After you run this command, you will be prompted to input the password to protect your SSL certificate backup file with.

Activate installed certificate for Exchange 2007 service

  1. Open an Exchange Management Shell by right clicking the link and selecting “Run As Administrator”, make sure you use an account that is a member of the groups “Exchange Administrators” and “Administrators” on the local server.
  2. Use the listing of certificates to copy the thumbprint for the certificate you want to export.
  3. Run this command: Enable-ExchangeCertificate -Thumbprint PasteThumbprintHere -Services IIS, IMAP, SMTP, POP, UM, None
    (remember to edit the services you want this certificate used for and thumbprint.)

Leave a Reply