Main Menu
Brad's TechTips - Exchange Server & Outlook
[<<
Full list of Exchange Server & Outlook tips.]
Exchange Server: Obtaining and Verifying SSL certificates in Exchange Server
[I originally wrote this tip in March of 2009 as an article for a SearchExchange.com E-Zine, where it still appears. This version has been updated to also include procedures for Windows Server 2008.]
SSL certificates are not new. When we buy something online, we frequently see the padlock icon in our browsers. This indicates that we're conducting our transactions over a secure (SSL-enabled) connection that encrypts our data. Much of the functionality and many of the security features built into Microsoft Exchange Server 2003 and Exchange Server 2007 rely on SSL. For example, Outlook Web Access (OWA), Outlook Anywhere, mobile devices and Macintosh computers are already configured to use SSL for basic security and/or functionality. Therefore, having knowledge of SSL concepts as well as the method to actually implement SSL has become a requirement for properly managing your infrastructure.
A trusted certificate is one that a recognized certification authority (CA), such as Verisign, Thawte, GoDaddy and others, has created. Windows Server includes the Certificate Services component, which creates certificates for use in SSL-enabled applications. These certificates, however, are not considered "trusted" certificates over the Internet.
In OWA, an untrusted certificate will not generally cause any technical problems. However, the browser will display a prompt asking if you really want to trust the certificate before proceeding to the logon screen. This isn't a major issue, but adds another step for users.
Untrusted certificates in other SSL-based applications can require some configuration and troubleshooting by the IT administrator and/or the end-user. For example, it's necessary to import the certificate into the computer's Trusted Certificate Store before Outlook Anywhere will work properly. If you work on the help desk for an organization and your end-users have any difficulties, then this can result in several unwarranted support calls.
To avoid this issue, use certificates that are only from trusted CAs. Each trusted CA has its own mechanism of verifying an organization's legitimacy before issuing a certificate to you. Ultimately, you must decide which one is the easiest and/or most affordable for your needs.
Let's take a look at three reasons for using GoDaddy as the trusted authority:
How to obtain an SSL certificate
You have to follow some specific steps to acquire a SSL certificate. First, you must generate the Certificate Signing Request (CSR), which is simply a text file that contains encrypted information related to your organization and server. One way to create this file is to use the Certificate Creation Wizard in Internet Information Services (IIS). Follow the steps below for your server's operating system:
Windows Server 2003:
Certificates in IIS and Exchange Server
Having a certificate in IIS does not guarantee that Exchange Server will "see" that it is there. There are a few steps you must take to easily manage Exchange Server, especially when helping end users remotely configure Outlook Anywhere (RPC-over-HTTP/S) and when helping mobile users synchronize their devices.
For Exchange Server 2003, bind the certificate to the SMTP server and to IMAP4 and POP3 virtual servers if they are used. In Exchange System Manager, go into the Properties of each of these items and find the "Access -> Certificate" option. Once the wizard starts, select the option to assign an existing certificate. Select the certificate that you just purchased and complete the wizard.
This process is a bit different for Exchange Server 2007. In Exchange 2007, you must use the Exchange Management Shell (EMS). After starting the EMS:
After completing these steps, your certificate should be installed and usable. Additionally, your users should be able to access various Exchange Server features without additional SSL prompts or warnings.
CREDIT:
The Exchange Server 2007 PowerShell syntax was adapted from an article at Andy Grogan's blog.
Exchange Server: Obtaining and Verifying SSL certificates in Exchange Server
[I originally wrote this tip in March of 2009 as an article for a SearchExchange.com E-Zine, where it still appears. This version has been updated to also include procedures for Windows Server 2008.]
SSL certificates are not new. When we buy something online, we frequently see the padlock icon in our browsers. This indicates that we're conducting our transactions over a secure (SSL-enabled) connection that encrypts our data. Much of the functionality and many of the security features built into Microsoft Exchange Server 2003 and Exchange Server 2007 rely on SSL. For example, Outlook Web Access (OWA), Outlook Anywhere, mobile devices and Macintosh computers are already configured to use SSL for basic security and/or functionality. Therefore, having knowledge of SSL concepts as well as the method to actually implement SSL has become a requirement for properly managing your infrastructure.
A trusted certificate is one that a recognized certification authority (CA), such as Verisign, Thawte, GoDaddy and others, has created. Windows Server includes the Certificate Services component, which creates certificates for use in SSL-enabled applications. These certificates, however, are not considered "trusted" certificates over the Internet.
In OWA, an untrusted certificate will not generally cause any technical problems. However, the browser will display a prompt asking if you really want to trust the certificate before proceeding to the logon screen. This isn't a major issue, but adds another step for users.
Untrusted certificates in other SSL-based applications can require some configuration and troubleshooting by the IT administrator and/or the end-user. For example, it's necessary to import the certificate into the computer's Trusted Certificate Store before Outlook Anywhere will work properly. If you work on the help desk for an organization and your end-users have any difficulties, then this can result in several unwarranted support calls.
To avoid this issue, use certificates that are only from trusted CAs. Each trusted CA has its own mechanism of verifying an organization's legitimacy before issuing a certificate to you. Ultimately, you must decide which one is the easiest and/or most affordable for your needs.
Let's take a look at three reasons for using GoDaddy as the trusted authority:
- GoDaddy's certificates are relatively inexpensive.
- GoDaddy allows you to easily create multi-domain certificates.
For example, you can issue a single certificate for a Web server
that provides pages for YourDomain.com, YourDomain2.com and
YourDomain.local.
- Most current browsers recognize GoDaddy as a trusted CA.
How to obtain an SSL certificate
You have to follow some specific steps to acquire a SSL certificate. First, you must generate the Certificate Signing Request (CSR), which is simply a text file that contains encrypted information related to your organization and server. One way to create this file is to use the Certificate Creation Wizard in Internet Information Services (IIS). Follow the steps below for your server's operating system:
Windows Server 2003:
- Open IIS and right-click on the desired website (typically Default Website).
- Select Properties and go into the Directory Security tab.
- Near the bottom of that screen, click the Server Certificate button to launch the wizard
(Screen
2003-1)
and create a new certificate (Screen
2003-2). In the wizard, make sure you select the
option to "Prepare the request now, but send it later" (Screen
2003-3). Enter all
required data (Composite
Screen 2003). This lets you create the text file that is the actual
CSR.
- Sign on to the CA's Web site and order a Web server certificate.
Part of this process involves copying and pasting the contents of
the previously created CSR. After a verification process, the CA
will send you a link to download the actual certificate.
- Run through the IIS Wizard again. When you run through the IIS Wizard this second time, there will be an option to complete the certificate process. You will need to browse to the location where you saved the certificate from the CA.
- Open IIS Manager and select on the server object in the left
pane.
- Double-click Server Certificates in the middle pane (Screen
2008-1).
- Select the option to create a certificate request in the Action
pane (Screen
2008-2).
- Once the Request Certificate wizard begins, enter all required data
(Composite Screen 2008). This lets you create the text
file that is the actual
CSR.
- Sign on to the CA's Web site and order a Web server certificate.
Part of this process involves copying and pasting the contents of
the previously created CSR. After a verification process, the CA
will send you a link to download the actual certificate.
- Once you have downloaded the certificate file, repeat steps 1
and 2.
- Select the option to complete the certificate request in the Action pane and browse to the location where you saved the certificate from the CA. Provide a "friendly" name for the certificate as well (Screen 2008-3).
Certificates in IIS and Exchange Server
Having a certificate in IIS does not guarantee that Exchange Server will "see" that it is there. There are a few steps you must take to easily manage Exchange Server, especially when helping end users remotely configure Outlook Anywhere (RPC-over-HTTP/S) and when helping mobile users synchronize their devices.
For Exchange Server 2003, bind the certificate to the SMTP server and to IMAP4 and POP3 virtual servers if they are used. In Exchange System Manager, go into the Properties of each of these items and find the "Access -> Certificate" option. Once the wizard starts, select the option to assign an existing certificate. Select the certificate that you just purchased and complete the wizard.
This process is a bit different for Exchange Server 2007. In Exchange 2007, you must use the Exchange Management Shell (EMS). After starting the EMS:
- Use PowerShell to determine the thumbprint of the certificates
on the server. Pipe those results to a text file at c:\certs.txt:
Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt
- Make note of the thumbprint of the appropriate certificate from
the certs.txt file. For example, the thumbprint might be:
B52842F7408772B7151FF74FDAE914EA7B59B53A.
- To make the certificate usable from within IIS, paste the
thumbprint into the following command (all on a single line):
Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services IIS
For example:
Enable-ExchangeCertificate -Thumbprint B52842F7408772B7151FF74FDAE914EA7B59B53A -Services IIS
- To make the certificate usable from within SMTP, paste it into
the following command:
Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services SMTP
For example:
Enable-ExchangeCertificate -Thumbprint B52842F7408772B7151FF74FDAE914EA7B59B53A -Services SMTP
After completing these steps, your certificate should be installed and usable. Additionally, your users should be able to access various Exchange Server features without additional SSL prompts or warnings.
CREDIT:
The Exchange Server 2007 PowerShell syntax was adapted from an article at Andy Grogan's blog.