Exchange 2010 Server Certificates - Part 1

The complete guide to setting up Exchange 2010 and OWA Certificates

Setting up certificates in exchange can be a taxing process with the many pieces that must be put into place.  I will begin with an overview of how a certificate works and how the signing process works.  In order to create a certificate you need to start by getting a certificate form an issuer known as a "Certificate Authority".   I will use GoDaddy as an example since GoDaddy has a good article on installing installing an Exchange certificate and I will link to it for more reading.

The underlying process of getting a certificate issued is a two step process where you:     1) Create a  certificate request on your server     2) upload the request to the Certificate Authority (CA)     3) Download the issued Certificate from the CA    4) Install the certificate on your server

This all sounds like a piece of cake, but it can be a tricky process and when you are installing the certificate on an Exchange server is can be extra confusing.  We will break this down by first installing the certificate in Exchange and then using the same certificate to enable encrypted SSL connections to the Exchange OWA site.

Step 1: Create a Certificate Request

• Open the Exchange Management Console

• Dig down through Microsoft Exchange On-Premises > Server Configuration

• In the middle pane you ill see any existing certificate at the bottom. We are creating a certificate so choose  on the bottom of the right hand panel

View fullsize

Create a new Exchange Certificate Request

• In the New Exchange Certificate Wizard you will first need to enter a friendly name for this certificate.  This ill describe the certificate in Exchange and other locations so make it logical like Exchange.mydomain.com.

• Under Domain Scope, the Enable Wildcard Certificate option will normally be left off. Use this option if you ill use a wildcard certificate.  This is a sort of certificate that can be used for all subdomains.  Leave this unchecked unless you know the you will be using wildcards.

• On the Exchange Configuration page you will be able to setup the features that you want to have this new certificate used for. The options are shown here and discussed below.

View fullsize

Exchange Configuration Options

Select the Items you need from these settings.  Be sure to put the correct fully qualified domain names into each box as seen here for Outlook Web App (OWA) and Client Access Server.

View fullsize

Setting Exchange Configuration Options

• Once you have selected your options, Click Next to review your Certificate Domains. These are the domains that the wizard found in the previous step.  Be sure that you have ownership of these domains.

View fullsize

Domains you are going to request a certificate for

• You will now need to enter your Organizational information. This is a critical step and the information MUST be accurate or you risk the CA not issuing your certificate.

View fullsize

Fill out the Organizational details

1. Organization: This is the name of your organization or company.  Your CA is likely to check this so use the correct, legal name.  For Example: Acme, Inc.

2. Organizational Unit: This is the department inside of your organization that ill deal with the certificate.  This is usually not critical but many CA's require this.  Put something like: IT Department.

3. Country/Region: Drop this down and select your country

4. City/locality: Enter the full name of the city where the server resides

5. State/Provence: The full name of the State such as California

6. Certificate Request File Path: Select the path and file name where your certificate request will be written

• Once you have filled in all the fields you can click Next and then New to create your Certificate Request

Step 2: Request a Certificate

You will now need to upload the file created in Step 1 to your CA in order to get a certificate.  Some CA's will ask you to upload the file while others will have you paste the contents into a website.  If you are pasting the certificate request you will need to open the file in notepad or another text editor and copy the ENTIRE contents to the website. You will need everyting including the Beginning and End parts and it should look like this:

-----BEGIN NEW CERTIFICATE REQUEST----- JmHEsWAVMkqjXhrAsMPUVEaxJsefGfLUqHPLMdUKDgsaCQTQlRkiCIIvFjCloPgi KaqkO3iAtTVuwLsIMTER9XQrWMrTGLTVoxMLVLszcPKkyEUmrGtiUgYgpNmQgYUX htqPd6dQJiAnvdVDljlkvTQBUpsZeLidyqFECgaGWWeVaiZTvxmXrcsUGzR6bcAS MRSSh9OYGhQTsvXafUUVaEnPRwhsP0edcKxypPcnXZWsASRreLbDsTbNVmESSBTd ArPIWbyZX1MUpjKVeob6lORXpyJAI7wOvSRdQjaxEUFjSxRYLiTS8qFExntwoFXt qx9aSWd2hORVEQuYMh8cCXEIgunFleUZjkywhpINZhcTMZAEixixiR6kKZjvFlbE TVRSYuHznhRAsBiKU7PGkwAEo.MRLUzp~EpYQ"n*azsmewpvbXQOrsfJgkdVHQrm yeIwkDgsbyxKGBSWTYKeMXwKMiLpHFD#dqUUpJ|UyRTWmPCIFor]BCZV7C%kosdu qQFQpm9bNkiAwoeYRfqeQVHinUWZVyLKDRWdYKfIFtaBefdwaNBHAHSngQbBRXcH PMJAoZMDEwRemhgUgFIGpuPkZZNLLL9uNJucZdDavqBsoNOhdhTCjIPttLaCLnjU eGNoYW5nZS5TZXJ2aWNlSG9zdC5leGUwcgYKKwYBBAGCNw0CAjFkMGICAQEeWgBN qUlEYjoahnLuMqyjOiMpqlZgHFiOTjlklECfEWwwvwAxRDVrHtomw5DRYhYciRkq AHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgMBADCB5gYJ wYCzghLhV5XmAaFdRpkFNLmdALLptOHkwxoFcUkplZHVhxBDg8YslEWxZk2HR6cW ZWJtYWlsLm9tZWdhLXVzYS5jb22CGXd3dy53ZWJtYWlsLm9tZWdhLXVzYS5jb22C b21lZ2EtdXNhLmNvbYIYYXV0b2Rpc2NvdmVyLnNhbnRlY2guY29tMAwGA1UdEwEB xPw4LNHtBdJ9hudSChidttEwDw0VxlcGQJdniKaesfpjSxdnFQQ6sVyOdwnmWBqS ZsZHRrzdrWrwhvYfwfiyw6r3Kf8cuMlgMPCylUetpuUvUvB3TYXJPnMClbDgDOYW BQUAA4IBAQA03KJ/jDzgRUH+LuYq8/IKC2ie1hTF4SLL4+qOPddno/nIvfk6OCa0 M1RjdIZQKUdHnRbftXUCsAFeOV7chvmHjaVIGiylm4TGq8YHRjlzgGRnakMxHrot LKSZjCCd9LQiATyaxj8kxizYwVhKMns53exXqNiWXYlfQ9y+3CgpQhUO2R+HUuqB qDh7ZnqgzPVmX0RUijqFUWiFfHiHwMTMoRGnIlbzIexPMbiMRTQQkokibc2PTU6R fGcr67WQgHwTJorxzBO8cGLfX3ejSYpYGYiwZGGbFeTXeOVwIgOAHSpthrnjHAOY 8txz0tjjPUKzlVuHzUprNbhVKGDP0sVE -----END NEW CERTIFICATE REQUEST-----

For more details on this process see this GoDaddy article on setting up the

Next:  Exchange 2010 Server Certificates - Step 3 - Installing Your Certificate