Configuring Exchange 2010 Certificates

Hi,

So having installed Exchange 2010 the next step is to make it useable. The first thing to do is to create a couple of users and mailboxes which frankly hasn?t changed much since Exchange 2007 so I won?t detail it here.

Having done that we need to access those mailboxes, and in order to make use of all the new features the only way to do this right now is via OWA.

Although Exchange 2010 comes enabled with self signed certificates clearly this is not any use if you want to customize the URLs and get rid of irritating warnings that the certificate authority is not trusted so this article will detail how to configure certificates in Exchange 2010.

The first thing to note is that Exchange 2010 has some exciting new functionality compared to Exchange 2007.

In Exchange 2007 all certificate work had to be carried out from the command line. Now we have a GUI!

The New Exchange Certificate wizard can be launched after highlighting the server object in the Exchange Management Console shown below.

image

On the first page give the certificate a name to identify it and click Next

image

The next page is the really clever bit! Here you run through a series of options about elements of Exchange 2010 which can use certificates and generally are prompted with some useful default settings.

image

The following screens show the setting I chose. I didn?t setup federation;

image

I setup OWA to be accessed by mail.gaots.co.uk both internally and from the internet

image

I setup ActiveSync to use mail.gaots.co.uk

image

I setup the web services to use mail.gaots.co.uk and to use the default autodiscover URL

image

I didn?t provision IMAP or POP

image

I setup UM to use a public cert

image

I enabled TLS and opted for the default smtp.gaots.co.uk for the connector FQDN

image

Finally I clicked Next to move on!

On the certificate organisation and location info page I filled in the usual info as below and clicked Next

image

At this point a summary is shown and I clicked New to progress with the creation

image

At this point the request file is created and then you are prompted with a summary page showing the PowerShell command and also, brilliantly, more information about the fact the a Unified Communications certificate is required (i.e. one that can support Subject Alternative Names).

image

Having created the certificate request the next step is to send the request to a certificate authority. Obviously you would most likely do this online with a company like Digicert, however in my case I did it from a CA installed on my domain controller.

Having received the certificate it is time to proceed in getting it installed and activated. This process is started by highlighting the certificate request in the lower pane and clicking the Complete Pending Request link in the action pane.

image

On the Complete Pending Request wizard first page, locate the certificate file received from the CA.

The file should be a .cer file and once located, click Next

(note I tried this with a p7b certificate chain file and it caused a system error!)

image

At this point the certificate is imported and you can click Finish

image

Having imported the cert the final step is to enable the certificate for the relevant services.

This is done by again highlighting the cert in the lower pane and then clicking the Assign Services to Certificate link in the action pane.

image

Next enable the certificate for all relevant services and click Assign. Interestingly UM is greyed out, which is something I will investigate at another time.

image

When applying the cert you may be prompted to replace the existing SMTP certificate in which case you should accept!

Finally click Finish

image

Having completed the above you can see the certificate and the services it is assigned to in the bottom pane!

image

All that remains is to test access to OWA to make sure everything is working!