The Exchange 2007 Wiki

Menu

Getting Started
Programming Exchange
PowerShell Scripts

Organization Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Server Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Edge Transport
Recipient Management
Tips and Tricks
FAQs
  - Definitions
  - Ask a Question

Site Index
Home


Wall of Fame
Syndication
Feedback

The content on this site is provided "AS IS" with no warranties, and confers no rights.

cascert

How to Generate and Install a Certificate, with Subject Alternative Name entries, for an Exchange 2007 Client Access Server(CAS) server

 

Note: The following is one example of how to generate the necessary certificate for Exchange ActiveSync, OWA, Outlook Anywhere, and AutoDiscover to work on an Exchange 2007 .

 


1. Use the New-ExchangeCertificate cmdlet to generate the certificate request(.txt) file that will then be submitted either to your internal CA(certificate authority), or an external 3rd party CA.


Generic Example: New-ExchangeCertificate -generaterequest:1 -domainname <external FQDN>,autodiscover.<SMTP domain>,<internal FQDN>,<internal Netbios> -privatekeyexportable:1 -path c:\certrequest.txt

 

Note: The first entry after -domainname will be what is put into the "Issued To" property, as well as the top entry in the Subject Alternative Name property.

 

Note:

 
  • The "<external FQDN>" entry is the name that users type in to access OWA and Exchange ActiveSync(ex: mail.contoso.com).

     

  • The "autodiscover.<SMTP domain>" entry is used for external or non-domain machines to be able to connect to the autodiscover service for Outlook Anywhere connectivity.  The "external SMTP domain"(ex: contoso.com) is the part after the @ symbol of a user's SMTP address(ex: user1@contoso.com).  When an Outlook 2007 client, connecting via Outlook Anywhere, try to access the autodiscover service, they will try to go to https://<SMTP domain>/autodiscover/autodiscover.xml.  If this fails, it will try https://autodiscover.<SMTP domain>/autodiscover/autodiscover.xml.  This entry is only necessary if you plan to have Outlook 2007 clients connect via Outlook Anywhere.

     

  • The "<internal FQDN>" and "<internal Netbios>" entries are listed for internal Outlook 2007 access, and for CAS-to-CAS proxy.  If the "<external FQDN>" and "<internal FQDN>" names are the same, then the "<internal FQDN" entry is not necessary.  The powershell command will fail if the same entry is in the list twice.

     

Specific Example: New-ExchangeCertificate -generaterequest:1 -domainname mail.contoso.com,autodiscover.contoso.com,cas01.contoso.local,cas01 -privatekeyexportable:1 -path c:\certrequest.txt

 

Note: In this specific example, the users' e-mail addresses are <user>@contoso.com.

 

2. If the certrequest.txt file is going to be submitted to a 3rd party CA, skip the following steps and go to step 3.
a. Go to the certsrv page of the CA(ex: http://ca-server/certsrv.
b. Choose the "Request a certificate" option.
c. Choose the "advanced certificate request" option.
d. Choose the "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 files, or submit a renewal request by using a base-64-encoded PKCS #7 files" option.
e. Open the certrequest.txt file that was generated in step 1.
f. Copy the entire text from the file, and paste it into the text box under the "Saved Request" section.
g. Choose the "Web Server" option from the "Certificate Template" section's dropdown box.
h. Click on the "Submit" button.
i. Click on the "Download certificate" option.
Note: It does not matter whether the "DER encoded" or "Base 64 encoded" option is selected.
j. Save the .cer file to the machines hard drive(ex: c:\ drive as cert_file.cer).

 


3. Use the Import-ExchangeCertificate cmdlet, on the CAS server to import the certificate from step 2j (if submitted request to internal CA) or from a 3rd party CA.
a. Run the following command from the power shell of the CAS server:
ex: Import-ExchangeCertificate -path c:\cert_file.cer
Note: The output of this command shows the thumbprint of the certificate.
b. With "QuitEdit Mode" selected on the properties of the command window, copy the thumbprint value of the certificate that was displayed on the powershell window as a result of running the cmdlet in step 3a.

 


4. Use the Enable-ExchangeCertificate cmdlet to enable the certificate for use in IIS.
Enable-ExchangeCertificate -thumbprint <value copied in step 3b> -services iis
Note: This enables IIS to use the certificate, forces SSL to be required on the Default Web Site, and sets 128-bit encryption.

 


5. If the certificate that was created and imported came from a external 3rd party CA, then do not do the following steps.  Otherwise, do the following steps to export out the certificate that can be used to allow the device to trust the Windows CA.
Note: The following steps assume that you are only using an enterprise root CA without any subordinates.  If subordinates are used, then the certificates must also be obtained from them so that they too are trusted by the device.
a. Go to the certsrv page of the CA(ex: http://ca-server/certsrv
Note: If the CAS server where you imported and enabled the certificate is also your CA, then you must connect to the certsrv page over https because SSL is now required on the Default Web Site due to running the cmdlet in step 4.
b. Choose the Download a CA certificate, certificate chain, or CRL" option.
c. Choose the "Download CA certificate" option.
d. Save the .cer file to the hard drive(ex: c:\ca_root_cert.cer).
e. Copy the root cert file to the device.

 

f. Double-click on the file and choose to import the certificate.

Site

Changes
Index
Search

 

User

 

Log In
Register

 
 

Last Modified 3/12/07 4:02 PM