I am going to start with generating a certificate from a 3rd party CA, like Thawte or VeriSign or who ever you choose to provide your certificates. You don’t need to use an external CA, but for now I will stay with the external CA and cover internal CA’s and the relevant PKI infrastructure later.
Why do I need a 3rd party certificate for my Exchange server?
Well the short answer is that you don’t actually need one. When you install Exchange 2007 the installation process creates a selfsigned certificate that is associated with all of the Exchange Web Services (EWS) so that services like OWA, TLS, Secure POP and IMAP all can be used. The issue with using this self signed certificate is that the computer connecting to your Exchange server needs to have this certificate as a trusted root certificate. If not, services like OWA will display an error in Internet Explorer when you connect. Looking a little something like this
The next issue is with mobile devices that try to connect through ActiveSync. Some of these devices will allow you to connect after an initial certificate error, the iPhone I know will do this. Windows Mobile devices are a little more picky about certificates and would require that this certificate be exported and then imported into their Trusted Root Certificate Store on the device. Now as much fun as going to every user and installing a certificate on their mobile device I find that a 3rd party certificate will save you a significant amount of time and frustration. If you do need to go down this path for what ever reason then this MS support article may assist you in your endeavours (http://support.microsoft.com/kb/915840) and here (http://www.jacco2.dds.nl/networking/windowsmobile-certinstall.html)
Before deciding on the CA that you will use for your server please think about what services will be used.
If it will purely be for OWA you will probably be able to get away with using a certificate for some of the newer and possibly cheaper CA’s.
If you are planning on letting your users connect using ActiveSync through a Windows Mobile device then have a look at the existing root CA’s that are in each versions of Windows Mobiles Root Certificate Store here
| Windows Mobile 5.0 | Windows Mobile 6 | |
| Class 2 Public Primary Certificate Authority(VeriSign, Inc.) | X | X |
| Class 3 Public Primary Certificate Authority(VeriSign, Inc.) | X | X |
| Entrust.net Certificate Authority (2048) | X | X |
| Entrust.net Secure Server Certificate Authority | X | X |
| Equifax Secure Certificate Authority | X | X |
| GlobalSign Root CA | X | X |
| GTE CyberTrust Global Root | X | X |
| GTE CyberTrust Root | X | X |
| Secure Server Certificate Authority (RSA) | X | X |
| Thawte Premium Server CA | X | X |
| Thawte Server CA | X | X |
| http://www.valicert.com, (used by GoDaddy.com) | X | X |
| Starfield Class 2 Certificate Authority | X | |
| Go Daddy Class 2 Certificate Authority | X | |
| GeoTrust Global CA | X | |
| Baltimore CyberTrust Root | X | |
| AddTrust External CA Root | X | |
| AAA Certificate Services | X |
I pulled this table form a Microsoft white paper you can find here. There is a lot of information on certificate use on Windows Mobile 5 and 6 when connecting to either Exchange 2003 or Exchange 2007.
So once you have made the decision on which CA you will get you certificate from how do you generate a request. There are 2 way’s. Before going any further it is key to note that the Client Access Server role is the one that take care of all web services and as such should be the server that the requests are done from and installed on, unless you have ISA and plan on publishing Exchange’s web services through that. In which case the certificate should be installed on the ISA server.
In IIS, see below for details on how to do this in Windows 2003 and 2008
1) Open IIS Manager
2) Create a new web site
3) Click Next
4) Give the new site a meaningful name then click next
5) Assign a non-used port to the address
6) Select a path for the new site – it is not important where this points to as no data will be stored or written to this directory
7) Click Next
8) Click Finish
9) Right click on the newly created web site
10) Click Directory Security tab
11) Click Server Certificate
12) The new Certificate Wizard will start
13) Click Create New Certificate Request
14) Click Next
15) Click Create a new certificate. Click Next
16) Click Prepare the request now, but send later
17) Click Next
18) Fill in the relevant details and click next
19) Type in the name that will appear on the certificate
20) Fill in correct location information
21) Save the text file in a place that you can find it.
22) Open the text file and copy all contents.
23) Submit this information to your chosen CA
Once you have the response from your CA follow these instructions
1) Right click on the web site that was created to generate the certificate request.
2) Click Properties
3) Click Directory Security tab
4) Click Server Certificate
5) Click Process the pending request and install the certificate
6) Find the file supplied by the CA
7) Complete the wizard
8) Right click on the default web site (or which ever web site the EWS live in)
9) Click Directory Security tab
10) Click Server Certificates
11) Click Next at the Wizard splash screen
12) Click Replace Current Certificate, click next
13) Select the certificate that you want to use, click next
14) Click next to confirm then finish to complete the wizard
Type in the Powershell commands found in step 6-9 in the Windows 2008 instructions below.
In Windows 2008
1) Open IIS Manager
2) Double Click on Server Certificates located by clicking on the server name in IIS
3)Click Create Certificate Request
4) Fill in all relevant details that are needed on the certificate
5) Leave the default options and click next
6) Specify a location for the certificate request to be saved
Once you have the response from your CA follow these instructions
1) Open IIS manager again and navigate to Server Certificates
2) Click Complete Certificate request
3) Browse to the file supplied by your chosen CA
4) Give the certificate a meaningful name
5) Click Next
6) Open Exchange Management Shell
7) Type the following
Get-ExchangeCertificate
8) Copy and paste the thumbprint from the certificate that you wish to use
9) Type in the following
Enable-ExchangeCertificate –Thumbprint <insert thumbprint here> –Services SMTP,POP,IIS,IMAP
Accept any prompts about replacing certificates for services.
Creating the certificate request using Exchange and Powershell.
1) Type the following
New-ExchangeCertificate -DomainName owa.exchangelabs.com.au, autodiscover.exchangelabs.com.au -FriendlyName ExchangeCertificate -GenerateRequest:$True -Keysize 1024 -path c:\certreq.txt -privatekeyExportable:$true -subjectName "c=au, o=Exchange Labs, CN=exchangelabs.com.au" -IncludeAutoDiscover
Now you may notice something a little different in the shell command above. I have included multiple domain names. These are commanly known as Subject Alternate Names or SAN. They are used to have the same certificate for different domain names. You can have as many as you like on your certificate but be aware that your CA may charge more for SAN certificates and for the number of domain names listed on the certificate.
2) Once you get your file back from your CA type the following in to the EMS
Import-ExchangeCertificate -Path c:\certificates\newcert.cer | Enable-ExchangeCertificate -Services SMTP,IIS,POP,IMAP
Well that that’s it for part one.
Part 2 will be how to troubleshoot some common issues with certificates and some tricks around AutoDiscover.
Posts
No comments:
Post a Comment