Home  |  Services  |  About Us  |  Contact  | 


Brad's TechTips - Exchange Server & Outlook

[<< Full list of Exchange Server & Outlook tips.]
Exchange Server: Obtaining and Verifying SSL certificates in Exchange Server
[I originally wrote this tip in March of 2009 as an article for a SearchExchange.com E-Zine, where it still appears.  This version has been updated to also include procedures for Windows Server 2008.]
SSL certificates are not new. When we buy something online, we frequently see the padlock icon in our browsers. This indicates that we're conducting our transactions over a secure (SSL-enabled) connection that encrypts our data.  Much of the functionality and many of the security features built into Microsoft Exchange Server 2003 and Exchange Server 2007 rely on SSL.  For example, Outlook Web Access (OWA), Outlook Anywhere, mobile devices and Macintosh computers are already configured to use SSL for basic security and/or functionality.  Therefore, having knowledge of SSL concepts as well as the method to actually implement SSL has become a requirement for properly managing your infrastructure.
A trusted certificate is one that a recognized certification authority (CA), such as Verisign, Thawte, GoDaddy and others, has created.  Windows Server includes the Certificate Services component, which creates certificates for use in SSL-enabled applications. These certificates, however, are not considered "trusted" certificates over the Internet.
In OWA, an untrusted certificate will not generally cause any technical problems. However, the browser will display a prompt asking if you really want to trust the certificate before proceeding to the logon screen. This isn't a major issue, but adds another step for users.
Untrusted certificates in other SSL-based applications can require some configuration and troubleshooting by the IT administrator and/or the end-user. For example, it's necessary to import the certificate into the computer's Trusted Certificate Store before Outlook Anywhere will work properly. If you work on the help desk for an organization and your end-users have any difficulties, then this can result in several unwarranted support calls.
To avoid this issue, use certificates that are only from trusted CAs. Each trusted CA has its own mechanism of verifying an organization's legitimacy before issuing a certificate to you. Ultimately, you must decide which one is the easiest and/or most affordable for your needs.
Let's take a look at three reasons for using GoDaddy as the trusted authority:
  1. GoDaddy's certificates are relatively inexpensive.
  2. GoDaddy allows you to easily create multi-domain certificates. For example, you can issue a single certificate for a Web server that provides pages for YourDomain.com, YourDomain2.com and YourDomain.local.
  3. Most current browsers recognize GoDaddy as a trusted CA.
Personally, the only downside I've found with GoDaddy is that part of its verification process involves automatically generating a message to the primary email address on record at your domain registrar. This won't work if that address is obfuscated. Obviously, you will need to have access to the address, which sometimes can be a problem if you're providing support for another organization and don't have control of the domain.
How to obtain an SSL certificate
You have to follow some specific steps to acquire a SSL certificate. First, you must generate the Certificate Signing Request (CSR), which is simply a text file that contains encrypted information related to your organization and server. One way to create this file is to use the Certificate Creation Wizard in Internet Information Services (IIS). Follow the steps below for your server's operating system:
Windows Server 2003:
  1. Open IIS and right-click on the desired website (typically Default Website).
  2. Select Properties and go into the Directory Security tab.
  3. Near the bottom of that screen, click the Server Certificate button to launch the wizard (Screen 2003-1) and create a new certificate (Screen 2003-2).  In the wizard, make sure you select the option to "Prepare the request now, but send it later" (Screen 2003-3).  Enter all required data (Composite Screen 2003). This lets you create the text file that is the actual CSR.

  4. Sign on to the CA's Web site and order a Web server certificate. Part of this process involves copying and pasting the contents of the previously created CSR. After a verification process, the CA will send you a link to download the actual certificate.
  5. Run through the IIS Wizard again. When you run through the IIS Wizard this second time, there will be an option to complete the certificate process. You will need to browse to the location where you saved the certificate from the CA.
Windows Server 2008:
  1. Open IIS Manager and select on the server object in the left pane.
  2. Double-click Server Certificates in the middle pane (Screen 2008-1).
  3. Select the option to create a certificate request in the Action pane (Screen 2008-2).
  4. Once the Request Certificate wizard begins, enter all required data (Composite Screen 2008).  This lets you create the text file that is the actual CSR.
  5. Sign on to the CA's Web site and order a Web server certificate. Part of this process involves copying and pasting the contents of the previously created CSR. After a verification process, the CA will send you a link to download the actual certificate.
  6. Once you have downloaded the certificate file, repeat steps 1 and 2.
  7. Select the option to complete the certificate request in the Action pane and browse to the location where you saved the certificate from the CA.  Provide a "friendly" name for the certificate as well (Screen 2008-3).

Certificates in IIS and Exchange Server

Having a certificate in IIS does not guarantee that Exchange Server will "see" that it is there. There are a few steps you must take to easily manage Exchange Server, especially when helping end users remotely configure Outlook Anywhere (RPC-over-HTTP/S) and when helping mobile users synchronize their devices.
For Exchange Server 2003, bind the certificate to the SMTP server and to IMAP4 and POP3 virtual servers if they are used.  In Exchange System Manager, go into the Properties of each of these items and find the "Access -> Certificate" option. Once the wizard starts, select the option to assign an existing certificate. Select the certificate that you just purchased and complete the wizard.

This process is a bit different for Exchange Server 2007. In Exchange 2007, you must use the Exchange Management Shell (EMS). After starting the EMS:
  1. Use PowerShell to determine the thumbprint of the certificates on the server. Pipe those results to a text file at c:\certs.txt:
    Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt
  2. Make note of the thumbprint of the appropriate certificate from the certs.txt file. For example, the thumbprint might be:
  3. To make the certificate usable from within IIS, paste the thumbprint into the following command (all on a single line):
    Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services IIS

    For example:
    Enable-ExchangeCertificate -Thumbprint B52842F7408772B7151FF74FDAE914EA7B59B53A -Services IIS
  4. To make the certificate usable from within SMTP, paste it into the following command:
    Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services SMTP
    For example:
    Enable-ExchangeCertificate -Thumbprint B52842F7408772B7151FF74FDAE914EA7B59B53A -Services SMTP
  5. Repeat the previous step for POP and IMAP services in addition to SMTP, if desired.

After completing these steps, your certificate should be installed and usable. Additionally, your users should be able to access various Exchange Server features without additional SSL prompts or warnings.
The Exchange Server 2007 PowerShell syntax was adapted from an article at Andy Grogan's blog.