Configuring Exchange 2010 Certificates
Hi,
So having installed Exchange 2010 the next step is to make it useable. The first thing to do is to create a couple of users and mailboxes which frankly hasn’t changed much since Exchange 2007 so I won’t detail it here.
Having done that we need to access those mailboxes, and in order to make use of all the new features the only way to do this right now is via OWA.
Although Exchange 2010 comes enabled with self signed certificates clearly this is not any use if you want to customize the URLs and get rid of irritating warnings that the certificate authority is not trusted so this article will detail how to configure certificates in Exchange 2010.
The first thing to note is that Exchange 2010 has some exciting new functionality compared to Exchange 2007.
In Exchange 2007 all certificate work had to be carried out from the command line. Now we have a GUI!
The New Exchange Certificate wizard can be launched after highlighting the server object in the Exchange Management Console shown below.
On the first page give the certificate a name to identify it and click Next
The next page is the really clever bit! Here you run through a series of options about elements of Exchange 2010 which can use certificates and generally are prompted with some useful default settings.
The following screens show the setting I chose. I didn’t setup federation;
I setup OWA to be accessed by mail.gaots.co.uk both internally and from the internet
I setup ActiveSync to use mail.gaots.co.uk
I setup the web services to use mail.gaots.co.uk and to use the default autodiscover URL
I didn’t provision IMAP or POP
I setup UM to use a public cert
I enabled TLS and opted for the default smtp.gaots.co.uk for the connector FQDN
Finally I clicked Next to move on!
On the certificate organisation and location info page I filled in the usual info as below and clicked Next
At this point a summary is shown and I clicked New to progress with the creation
At this point the request file is created and then you are prompted with a summary page showing the PowerShell command and also, brilliantly, more information about the fact the a Unified Communications certificate is required (i.e. one that can support Subject Alternative Names).
Having created the certificate request the next step is to send the request to a certificate authority. Obviously you would most likely do this online with a company like Digicert, however in my case I did it from a CA installed on my domain controller.
Having received the certificate it is time to proceed in getting it installed and activated. This process is started by highlighting the certificate request in the lower pane and clicking the Complete Pending Request link in the action pane.
On the Complete Pending Request wizard first page, locate the certificate file received from the CA.
The file should be a .cer file and once located, click Next
(note I tried this with a p7b certificate chain file and it caused a system error!)
At this point the certificate is imported and you can click Finish
Having imported the cert the final step is to enable the certificate for the relevant services.
This is done by again highlighting the cert in the lower pane and then clicking the Assign Services to Certificate link in the action pane.
Next enable the certificate for all relevant services and click Assign. Interestingly UM is greyed out, which is something I will investigate at another time.
When applying the cert you may be prompted to replace the existing SMTP certificate in which case you should accept!
Finally click Finish
Having completed the above you can see the certificate and the services it is assigned to in the bottom pane!
All that remains is to test access to OWA to make sure everything is working!