Home
%3CLINGO-SUB%20id%3D%22lingo-sub-592732%22%20slang%3D%22en-US%22%3EMore%20on%20Exchange%202007%20and%20certificates%20-%20with%20real%20world%20scenario%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-592732%22%20slang%3D%22en-US%22%3E%3CP%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23ff0000%22%3EEDIT%2010%2F4%2F2007%3A%20Since%20this%20post%20has%20been%20published%2C%20we%20have%20updated%20the%3C%2FFONT%3E%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb332063.aspx%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EExchange%202007%20Autodiscover%20Service%3C%2FA%3E%20%3CFONT%20color%3D%22%23ff0000%22%3Ewhitepaper%20to%20include%20this%20information.%20Please%20consult%20the%20whitepaper%20for%20most%20up-to-date%20information.%3C%2FFONT%3E%3C%2FP%3E%3CP%3EIn%20reviewing%20all%20of%20the%20certificate%20data%20out%20there%2C%20Jim%20and%20I%20noticed%20that%20the%20information%20is%20fragmented%20into%20smaller%20topics%20and%20widely%20distributed.%20We%20wanted%20to%20supplement%20previous%20blog%20posts%20on%20this%20topic%20(%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Farchive%2F2007%2F02%2F19%2F435472.aspx%22%20target%3D%22_blank%22%3Ethis%20one%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Farchive%2F2007%2F04%2F30%2F438249.aspx%22%20target%3D%22_blank%22%3Ethis%20one%3C%2FA%3E)%20with%20an%20overview%20of%20how%20Exchange%202007%20uses%20certificates%20and%20a%20walk-though%20of%20how%20a%20typical%20small%20company%20might%20think%20about%20this%20topic.%3C%2FP%3E%3CP%3EExchange%20is%20now%20using%20certificates%20for%20more%20than%20just%20web%2C%20POP3%2C%20or%20IMAP.%20In%20addition%20to%20securing%20web%20services%2C%20Exchange%202007%20has%20also%20incorporated%20Transport%20Layer%20Security%20(TLS)%20for%20session%20based%20authentication%20and%20encryption.%20TLS%20has%20been%20around%20for%20a%20while%20but%20the%20Exchange%202007%20implementation%20is%20able%20to%20mutually%20authenticate%20with%20external%20transport%20servers%2C%20internal%20servers%20and%20Outlook%202007%20clients.%20TLS%20as%20implemented%20in%20Exchange%202007%20is%20an%20effective%20alternative%20to%20S%2FMIME%20and%20is%20much%20easier%20to%20administer.%20'Domain%20Security%20in%20Exchange%202007'%20is%20an%20excellent%20whitepaper%20on%20Exchange%202007%20and%20TLS%20so%20we%20aren't%20going%20to%20reproduce%20it%20in%20this%20post%2C%20but%20we%20wanted%20to%20give%20mention%20to%20this%20new%20change%20and%20point%20everyone%20in%20a%20direction%20to%20read%20more%20on%20this%20topic.%20You%20can%20download%20it%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb266978.aspx%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fbb266978.aspx%3C%2FA%3E%3C%2FP%3E%3CP%3ESince%20Exchange%202007%20shipped%2C%20we%20in%20Support%20Services%20have%20been%20helping%20a%20lot%20of%20customers%20navigate%20the%20process%20of%20obtaining%20and%20installing%20certificates.%20The%20following%20scenario%20comprises%20the%20majority%20of%20our%20experiences%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CI%3ETom%20works%20for%20a%20company%2C%20Contoso%20Inc.%20Let's%20also%20say%20that%20Tom%20just%20put%20a%20default%20install%20of%20Exchange%202007%20on%20a%20server%20called%20SERVER01%20which%20makes%20its%20internal%20FQDN%20SERVER01.contoso.local%20since%20he%20also%20implemented%20split%20DNS.%20Tom%20wants%20to%20make%20sure%20he%20takes%20all%20of%20the%20correct%20steps%20in%20order%20for%20his%20External%20Outlook%20Anywhere%202007%20clients%20to%20function%20correctly.%20He%20wants%20his%20users%20to%20be%20able%20to%20access%20OWA%20using%20%3CA%20href%3D%22https%3A%2F%2Fmail.contoso.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmail.contoso.com%3C%2FA%3E.%20He%20has%20also%20read%20enough%20Microsoft%20documentation%20to%20know%20that%20the%20Outlook%202007%20Auto-discover%20feature%20will%20attempt%20to%20find%20my%20auto-discover%20service%20at%20the%20following%20locations%20(in%20order%20from%20top%20to%20bottom)%3A%3C%2FI%3E%3C%2FP%3E%3CP%3E%3CI%3E%3C%2FI%3E%3C%2FP%3E%3CP%3E%3CI%3EService%20Connection%20Point%20(SCP)%20%E2%80%93%20client%20communicates%20directly%20to%20AD%3C%2FI%3E%3C%2FP%3E%3CP%3E%3CI%3E%3CA%20href%3D%22https%3A%2F%2Fcontoso.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcontoso.com%3C%2FA%3E%3CBR%20%2F%3E%3C%2FI%3E%3CI%3E%3CA%20href%3D%22https%3A%2F%2Fautodiscover.contoso.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fautodiscover.contoso.com%3C%2FA%3E%3CBR%20%2F%3E%3C%2FI%3E%3CI%3E%3CA%20href%3D%22http%3A%2F%2Fcontoso.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fcontoso.com%3C%2FA%3E%3CBR%20%2F%3E%3C%2FI%3E%3CI%3E%3CA%20href%3D%22http%3A%2F%2Fautodiscover.contoso.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fautodiscover.contoso.com%3C%2FA%3E%3C%2FI%3E%3C%2FP%3E%3CP%3E%3CI%3E%3C%2FI%3E%3C%2FP%3E%3CP%3E%3CI%3ETom%20doesn't%20want%20his%20users%20to%20get%20%22invalid%20certificate%22%20errors%20nor%20does%20he%20want%20to%20affect%20his%20clients%20with%20redirection%20requests.%20%3C%2FI%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3ETom%20has%20just%20one%20more%20decision%20to%20make%20and%20then%20its%20implementation%20time.%20Does%20he%20go%20with%20the%20recommended%20solution%20of%20a%20certificate%20with%20Subject%20Alternative%20Names%20(SAN)%20%E2%80%93%20also%20known%20as%20Unified%20Communications%20Certificates%20or%20with%20individual%20certificates%3F%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CB%3E%3CU%3ESAN%20Cert%20(Microsoft%20recommended%20solution)%3C%2FU%3E%3C%2FB%3E%3C%2FP%3E%3CP%3EPro%20%E2%80%93%20Simple%20to%20administer%20on%20the%20server%3C%2FP%3E%3CP%3ECon%20%E2%80%93%20If%20you%20are%20purchasing%20the%20cert%20from%20a%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20it%20can%20be%20expensive%20(up%20to%2010x%20more%20than%20a%20classic%20SSL%20cert)%3C%2FP%3E%3CP%3ECon%20%E2%80%93%20If%20you%20generate%20this%20cert%20with%20your%20internal%20MS%20certificate%20server%2C%20external%20clients%2Fdevices%20must%20be%20configured%20to%20trust%20this%20internal%20CA%20which%20may%20involve%20configuring%20many%20devices%20(Outlook%20clients%2C%20mobile%20devices%2C%20etc).%3C%2FP%3E%3CP%3ECon%20%E2%80%93%20not%20all%20CA's%20support%20this%20type%20of%20certificate.%20See%20this%20article%20for%20a%20list%20of%20CA's%20that%20do%3A%3C%2FP%3E%3CP%3E929395%20Description%20of%20the%20Exchange-specific%20Web%20sites%20that%20are%20provided%20by%20X.509%20certification%20authorities%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3BEN-US%3B929395%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3BEN-US%3B929395%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CB%3E%3CU%3EClassic%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20SSL%20cert%3C%2FU%3E%3C%2FB%3E%3C%2FP%3E%3CP%3EPro%20%E2%80%93%20inexpensive%3C%2FP%3E%3CP%3EPro%20%E2%80%93%20most%20clients%20will%20trust%20the%20CA%20by%20default%3C%2FP%3E%3CP%3ECon%20%E2%80%93%20can%20complicates%20deployment%20on%20the%20server%20or%20require%20the%20use%20of%20an%20unfamiliar%20alias%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThe%20decision%20on%20this%20is%20your's%20(Tom's)%20hands%20so%20we'll%20cover%20both%20here%3A%3C%2FP%3E%3CP%3E%3CB%3E%3CFONT%20color%3D%22%230000ff%22%3EThe%20SAN%20cert%20method%3C%2FFONT%3E%3C%2FB%3E%3C%2FP%3E%3CP%3EYou%20will%20need%20to%20contact%20a%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20CA%20that%20supports%20these%20types%20of%20certs%20(see%20link%20to%20KB929395%20above)%3C%2FP%3E%3CP%3ENext%2C%20you%20need%20to%20know%20all%20of%20the%20Subject%20Alternative%20Names%20that%20you%20need%20to%20register.%20Here%20is%20the%20list%20that%20applies%20in%20Tom's%20scenario%20(for%20the%20'-domainname'%20parameter)%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3Email.contoso.com%3CBR%20%2F%3Econtoso.com%3CBR%20%2F%3Econtoso.local%3CBR%20%2F%3Eautodiscover.contoso.com%3CBR%20%2F%3EServer01.contoso.local%3CBR%20%2F%3EServer01%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EOfficially%2C%20the%20NetBIOS%20names%20of%20the%20server%20are%20not%20required.%20But%20many%20users%20and%20admins%20like%20to%20use%20OWA%20internally%20and%20this%20will%20prevent%20unnecessary%20warnings%20about%20the%20cert%20when%20they%20log%20on.%20There%20are%20no%20ill%20effects%20from%20adding%20internal%20names%20but%20they%20are%20not%20necessary.%3C%2FP%3E%3CP%3EThis%20is%20the%20Exchange%20Management%20Shell%20(EMS)%20command%20Tom%20would%20enter%20to%20generate%20the%20cert%20request%20to%20be%20provided%20to%20the%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20CA%20in%20order%20to%20generate%20the%20actual%20certificate%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CSTRONG%3ENew-Exchangecertificate%20-domainname%20mail.contoso.com%2C%20contoso.com%2C%20contoso.local%2C%20autodiscover.contoso.com%2C%20server01.contoso.local%2C%20server01%20-Friendlyname%20contosoinc%20-generaterequest%3A%24true%20-keysize%201024%20-path%20c%3A%5Ccertrequest.req%20-privatekeyexportable%3A%24true%20%E2%80%93subjectname%20%22c%3DUS%20o%3Dcontoso%20inc%2C%20CN%3Dserver01.contoso.com%22%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EWe%20have%20found%20that%20the%20'%E2%80%93subjectname'%20option%20is%20the%20most%20confusing.%20The%20help%20contents%20in%20EMS%20are%20vague%20as%20well.%20The%20best%20description%20is%20found%20in%20the%20TLS%20whitepaper%20mentioned%20at%20the%20beginning%20of%20this%20post%20so%20we're%20not%20going%20to%20reproduce%20it%20here.%3C%2FP%3E%3CP%3EAs%20we%20just%20stated%2C%20the%20above%20command%20will%20generate%20a%20certificate%20request%20file%20you%20can%20then%20submit%20to%20the%20CA%20of%20your%20choosing.%20Once%20they%20have%20processed%20your%20request%20and%20you%20have%20the%20cert%2C%20you%20need%20to%20install%20it%20onto%20your%20default%20web%20site.%20You%20don't%20install%20the%20certificate%20using%20the%20IIS%20Admin%20Console%2C%20you%20need%20to%20do%20it%20using%20the%20management%20shell.%3C%2FP%3E%3CP%3EFirst%20you%20have%20to%20import%20it%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CB%3EImport-exchangecertificate%20%E2%80%93path%20%3CFULL%20path%3D%22%22%20to%3D%22%22%20cert%3D%22%22%20file%3D%22%22%3E%3C%2FFULL%3E%3C%2FB%3E%3CB%3E%3C%2FB%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThen%20enable%20it%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CB%3EEnable-exchangecertificate%20%3C%2FB%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EWhen%20you%20run%20the%20above%20command%20you%20will%20be%20prompted%20to%20enter%20the%20name%20of%20the%20service%20you%20want%20to%20enable%20this%20certificate%20for.%20You%20can%20enable%20the%20cert%20for%20IIS%2C%20POP3%2C%20IMAP%2C%20SMTP%2C%20or%20UM%20depending%20on%20your%20circumstance.%20You%20can%20enable%20it%20for%20multiple%20services%20with%20the%20enable%20command%20by%20adding%20the%20following%20parameter%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CB%3E-services%20IMAP%2C%20POP%2C%20UM%2C%20IIS%2C%20SMTP%3C%2FB%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EAfter%20that%20it%20will%20prompt%20you%20for%20the%20thumbprint%2C%20so%20just%20copy%20and%20paste%20it%20from%20the%20results%20of%20the%20import%20procedure%20mentioned%20above.%26nbsp%3B%20If%20for%20some%20reason%20you%20don't%20have%20the%20thumbprint%20in%20the%20same%20window%20you%20can%20get%20it%20by%20typing%20the%20following%20monad%20command%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CB%3EGet-Exchangecertificate%3C%2FB%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EYou%20can%20also%20specify%20the%20thumbprint%20when%20you%20execute%20the%20'enable-exchangecertificate'%20command%20by%20adding%20this%20parameter%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CB%3E-thumbprint%20D75305BEF8175570EB6E03BA6FF4372D05ACE39F4%3C%2FB%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3ECombined%20it%20would%20look%20like%20this%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CB%3EEnable-exchangecertificate%20%E2%80%93services%20IIS%2C%20UM%2C%20SMTP%20%E2%80%93thumbprint%20D75305BEF8175570EB6E03BA6FF4372D05ACE39F4%3C%2FB%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EMake%20sure%20you%20copy%20the%20correct%20thumbprint%20if%20you%20have%20more%20than%20one.%20You%20can%20tell%20by%20running%20the%20'get-exchangecertificate'%20PowerShell%20command%20and%20match%20up%20the%20subject%20with%20the%20correct%20thumbprint.%3C%2FP%3E%3CP%3ENext%20you%20need%20external%20DNS%20records%20that%20point%20to%20the%20IP%20address%20of%20your%20CAS%20server%20for%20any%20external%20name%20mapped%20to%20this%20certificate.%3C%2FP%3E%3CP%3E%3CB%3E%3CFONT%20color%3D%22%230000ff%22%3EThe%20other%20method%3C%2FFONT%3E%3C%2FB%3E%3C%2FP%3E%3CP%3EJim%20and%20I%20are%20also%20hearing%20%22These%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20companies%20want%20to%20charge%20me%20a%20lot%20of%20money%20for%20this%20SAN%20cert%20thing%2C%20is%20there%20another%20method%3F%22%3C%2FP%3E%3CP%3EWhy%20yes%20there%20are%20a%20couple%20of%20alternatives%20and%20here%20they%20are%3A%3C%2FP%3E%3CP%3E%3CB%3E%3CI%3EAlternative%201%3C%2FI%3E%3C%2FB%3E%3C%2FP%3E%3CP%3EGet%20a%20normal%20SSL%20certificate%20for%20the%20autodiscover%20namespace%20(autodiscover.contoso.com%20in%20the%20scenario).%20If%20you%20plan%20on%20using%20TLS%20you'll%20need%20to%20make%20sure%20to%20follow%20the%20instructions%20above%20but%20for%20subjectname%20you%20only%20need%20to%20specify%20the%20one%20namespace.%20The%20steps%20are%20no%20different%20to%20import%20and%20install%20at%20that%20point.%3C%2FP%3E%3CP%3EFor%20this%20first%20example%20users%20will%20enter%20the%20following%20url%20for%20Outlook%20Anywhere%20or%20ActiveSync%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fautodiscover.contoso.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fautodiscover.contoso.com%3C%2FA%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EThey%20would%20use%20this%20url%20to%20get%20to%20OWA%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fautodiscover.contoso.com%2Fowa%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fautodiscover.contoso.com%2Fowa%3C%2FA%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%3CB%3E%3CI%3EAlternative%202%3C%2FI%3E%3C%2FB%3E%3C%2FP%3E%3CP%3EThis%20alternative%20addresses%20users%20that%20may%20not%20be%20as%20open%20to%20learning%20a%20new%20URL%20for%20OWA%2C%20activesync%2C%20or%20other%20web%20services%20they%20may%20already%20have%20configured.%20Get%202%20certs%2C%20one%20for%20mail.contoso.com%20and%20one%20for%20autodiscover.contoso.com.%20Mail.contoso.com%20cert%20goes%20on%20your%20default%20web%20site.%3C%2FP%3E%3CP%3ENext%2C%20create%20a%20new%20Web%20site%20from%20within%20IIS%20manager%20called%20AutoDiscover.%3C%2FP%3E%3CP%3ERight%20click%2C%20%22Web%20Sites%22%2C%20choose%20%22Web%20Site%22%2C%20make%20the%20description%20AutoDiscover%2C%20assign%20a%20new%20dedicated%20IP%20to%20this%20web%20site%2C%20use%20the%20default%20port%20of%2080%2C%20don't%20enter%20a%20host%20header%2C%20for%20the%20Path%2C%20point%20to%20the%20same%20directory%20as%20your%20default%20web%20site%3C%2FP%3E%3CP%3Ec%3A%5Cinetpub%5Cwwwroot%3C%2FP%3E%3CP%3EAlso%20accept%20the%20default%20permissions.%3C%2FP%3E%3CP%3ERight%20click%20this%20web%20site%2C%20get%20properties%2C%20and%20go%20to%20Directory%20Security.%20Assign%20the%20autodiscover.contoso.com%20cert%20here.%3C%2FP%3E%3CP%3EFrom%20the%20Exchange%20Command%20Shell%2C%20run%20the%20following%20command%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E%3CSTRONG%3ENew-AutodiscoverVirtualDirectory%20%E2%80%93WebSiteName%20AutoDiscover%20%E2%80%93BasicAuthentication%20%24true%20%E2%80%93WindowsAuthentication%20%24true%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3ENote%20that%20the%20web%20site%20name%20parameter%20is%20case%20sensitive.%3C%2FP%3E%3CP%3EGo%20back%20to%20IIS%20manager%2C%20confirm%20the%20creation%20of%20your%20new%20AutoDiscover%20Virtual%20Directory.%20You%20can%20delete%20the%20autodiscover%20virtual%20directory%20from%20the%20default%20web%20site%20but%20it's%20not%20necessary%20and%20there%20is%20no%20additional%20risk%20by%20leaving%20it%20there.%20Finally%2C%20make%20sure%20external%20DNS%20have%20A%20or%20CNAME%20records%20for%20the%20following%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3Email.contoso.com%20pointed%20to%20the%20external%20IP%20of%20Default%20Web%20Site%3CBR%20%2F%3Eautodiscover.contoso.com%20pointed%20to%20the%20external%20IP%20of%20the%20AutoDiscover%20web%20site%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3ENow%20that%20you%20have%20your%20cert%20installed%2C%20now%20what%3F%20Default%20certs%20issued%20by%20a%20MS%20certificate%20authority%20are%20valid%20for%202%20years.%20The%20length%20of%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20certificate%20validity%20depends%20on%20your%20agreement%20with%20them.%20You%20can%20use%20the%20certificate%20manager%20addin%20for%20the%20local%20computer%20to%20renew%20these%20certs%20when%20the%20time%20comes%20or%20you%20can%20also%20repeat%20the%20steps%20above%20to%20get%20a%20new%20cert%20from%20another%20CA%20if%20you%20like.%20There%20are%20several%20ways%20to%20do%20this%20and%20the%20choice%20is%20yours%20to%20make%20as%20to%20how%20you%20accomplish%20the%20renewal.%3C%2FP%3E%3CP%3E%3CB%3ECaveats%3C%2FB%3E%3C%2FP%3E%3CP%3EIf%20you%20choose%20to%20install%20and%20use%20your%20own%20CA%2C%20you%20will%20have%20to%20ensure%20that%20clients%2C%20servers%2C%20and%20devices%20that%20access%20any%20secured%20site%20trust%20your%20CA%20as%20a%20root.%20This%20is%20actually%20a%20minor%20procedure%20but%20depending%20on%20the%20technical%20ability%20of%20your%20users%20or%20in%20large%20deployments%20it%20can%20become%20quite%20complicated.%3C%2FP%3E%3CP%3EAlso%2C%20if%20you%20plan%20to%20incorporate%20an%20SSL%20accelerator%20or%20ISA%20server%20located%20in%20a%20DMZ%20you%20need%20to%20make%20sure%20that%20you%20export%20the%20private%20key%20of%20the%20certificate%20(pfx%20file).%20You%20can%20do%20this%20from%20the%20IIS%20administrator%20program%20once%20the%20certificate%20has%20been%20installed%20following%20the%20previous%20procedure.%3C%2FP%3E%3CP%3EHere%20are%20some%20links%20on%20that%20process%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%0A%3CP%3E299875%20How%20to%20implement%20SSL%20in%20IIS%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3BEN-US%3B299875%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3BEN-US%3B299875%3C%2FA%3E%3C%2FP%3E%3CP%3E915840%20How%20to%20install%20root%20certificates%20on%20a%20Windows%20Mobile-based%20device%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3BEN-US%3B915840%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3BEN-US%3B915840%3C%2FA%3E%3C%2FP%3E%3CP%3E297681%20Error%20Message%3A%20This%20Security%20Certificate%20Was%20Issued%20by%20a%20Company%20that%20You%20Have%20Not%20Chosen%20to%20Trust%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3BEN-US%3B297681%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3BEN-US%3B297681%3C%2FA%3E%3C%2FP%3E%3CP%3E332077%20IIS%206.0%3A%20Computer%20must%20trust%20all%20certification%20authorities%20trusted%20by%20individual%20sites%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3BEN-US%3B332077%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fsupport.microsoft.com%2Fdefault.aspx%3Fscid%3Dkb%3BEN-US%3B332077%3C%2FA%3E%3C%2FP%3E%3CP%3ECertificates%20for%20Windows%20Mobile%205.0%20and%20Windows%20Mobile%206%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fwww.microsoft.com%2Ftechnet%2Fsolutionaccelerators%2Fmobile%2Fmaintain%2FSecModel%2Fbd8cc6b6-0038-4e56-b1d4-b7b9af9ea6ef.mspx%3Fmfr%3Dtrue%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttp%3A%2F%2Fwww.microsoft.com%2Ftechnet%2Fsolutionaccelerators%2Fmobile%2Fmaintain%2FSecModel%2Fbd8cc6b6-0038-4e56-b1d4-b7b9af9ea6ef.mspx%3Fmfr%3Dtrue%3C%2FA%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E-%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Farticles%2F444050.aspx%22%20target%3D%22_blank%22%3EChristopher%20Gregson%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Farticles%2F444048.aspx%22%20target%3D%22_blank%22%3EJim%20Westmoreland%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E

EDIT 10/4/2007: Since this post has been published, we have updated the Exchange 2007 Autodiscover Service whitepaper to include this information. Please consult the whitepaper for most up-to-date information.

In reviewing all of the certificate data out there, Jim and I noticed that the information is fragmented into smaller topics and widely distributed. We wanted to supplement previous blog posts on this topic (this one and this one) with an overview of how Exchange 2007 uses certificates and a walk-though of how a typical small company might think about this topic.

Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to securing web services, Exchange 2007 has also incorporated Transport Layer Security (TLS) for session based authentication and encryption. TLS has been around for a while but the Exchange 2007 implementation is able to mutually authenticate with external transport servers, internal servers and Outlook 2007 clients. TLS as implemented in Exchange 2007 is an effective alternative to S/MIME and is much easier to administer. 'Domain Security in Exchange 2007' is an excellent whitepaper on Exchange 2007 and TLS so we aren't going to reproduce it in this post, but we wanted to give mention to this new change and point everyone in a direction to read more on this topic. You can download it here:

http://technet.microsoft.com/en-us/library/bb266978.aspx

Since Exchange 2007 shipped, we in Support Services have been helping a lot of customers navigate the process of obtaining and installing certificates. The following scenario comprises the majority of our experiences:

Tom works for a company, Contoso Inc. Let's also say that Tom just put a default install of Exchange 2007 on a server called SERVER01 which makes its internal FQDN SERVER01.contoso.local since he also implemented split DNS. Tom wants to make sure he takes all of the correct steps in order for his External Outlook Anywhere 2007 clients to function correctly. He wants his users to be able to access OWA using https://mail.contoso.com. He has also read enough Microsoft documentation to know that the Outlook 2007 Auto-discover feature will attempt to find my auto-discover service at the following locations (in order from top to bottom):

Service Connection Point (SCP) – client communicates directly to AD

https://contoso.com
https://autodiscover.contoso.com
http://contoso.com
http://autodiscover.contoso.com

Tom doesn't want his users to get "invalid certificate" errors nor does he want to affect his clients with redirection requests.

Tom has just one more decision to make and then its implementation time. Does he go with the recommended solution of a certificate with Subject Alternative Names (SAN) – also known as Unified Communications Certificates or with individual certificates?

SAN Cert (Microsoft recommended solution)

Pro – Simple to administer on the server

Con – If you are purchasing the cert from a 3rd party it can be expensive (up to 10x more than a classic SSL cert)

Con – If you generate this cert with your internal MS certificate server, external clients/devices must be configured to trust this internal CA which may involve configuring many devices (Outlook clients, mobile devices, etc).

Con – not all CA's support this type of certificate. See this article for a list of CA's that do:

929395 Description of the Exchange-specific Web sites that are provided by X.509 certification authorities

http://support.microsoft.com/default.aspx?scid=kb;EN-US;929395

Classic 3rd party SSL cert

Pro – inexpensive

Pro – most clients will trust the CA by default

Con – can complicates deployment on the server or require the use of an unfamiliar alias

The decision on this is your's (Tom's) hands so we'll cover both here:

The SAN cert method

You will need to contact a 3rd party CA that supports these types of certs (see link to KB929395 above)

Next, you need to know all of the Subject Alternative Names that you need to register. Here is the list that applies in Tom's scenario (for the '-domainname' parameter):

mail.contoso.com
contoso.com
contoso.local
autodiscover.contoso.com
Server01.contoso.local
Server01

Officially, the NetBIOS names of the server are not required. But many users and admins like to use OWA internally and this will prevent unnecessary warnings about the cert when they log on. There are no ill effects from adding internal names but they are not necessary.

This is the Exchange Management Shell (EMS) command Tom would enter to generate the cert request to be provided to the 3rd party CA in order to generate the actual certificate:

New-Exchangecertificate -domainname mail.contoso.com, contoso.com, contoso.local, autodiscover.contoso.com, server01.contoso.local, server01 -Friendlyname contosoinc -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true –subjectname "c=US o=contoso inc, CN=server01.contoso.com"

We have found that the '–subjectname' option is the most confusing. The help contents in EMS are vague as well. The best description is found in the TLS whitepaper mentioned at the beginning of this post so we're not going to reproduce it here.

As we just stated, the above command will generate a certificate request file you can then submit to the CA of your choosing. Once they have processed your request and you have the cert, you need to install it onto your default web site. You don't install the certificate using the IIS Admin Console, you need to do it using the management shell.

First you have to import it:

Import-exchangecertificate –path <full path to cert file>

Then enable it:

Enable-exchangecertificate

When you run the above command you will be prompted to enter the name of the service you want to enable this certificate for. You can enable the cert for IIS, POP3, IMAP, SMTP, or UM depending on your circumstance. You can enable it for multiple services with the enable command by adding the following parameter:

-services IMAP, POP, UM, IIS, SMTP

After that it will prompt you for the thumbprint, so just copy and paste it from the results of the import procedure mentioned above.  If for some reason you don't have the thumbprint in the same window you can get it by typing the following monad command:

Get-Exchangecertificate

You can also specify the thumbprint when you execute the 'enable-exchangecertificate' command by adding this parameter:

-thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4

Combined it would look like this:

Enable-exchangecertificate –services IIS, UM, SMTP –thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4

Make sure you copy the correct thumbprint if you have more than one. You can tell by running the 'get-exchangecertificate' PowerShell command and match up the subject with the correct thumbprint.

Next you need external DNS records that point to the IP address of your CAS server for any external name mapped to this certificate.

The other method

Jim and I are also hearing "These 3rd party companies want to charge me a lot of money for this SAN cert thing, is there another method?"

Why yes there are a couple of alternatives and here they are:

Alternative 1

Get a normal SSL certificate for the autodiscover namespace (autodiscover.contoso.com in the scenario). If you plan on using TLS you'll need to make sure to follow the instructions above but for subjectname you only need to specify the one namespace. The steps are no different to import and install at that point.

For this first example users will enter the following url for Outlook Anywhere or ActiveSync:

https://autodiscover.contoso.com

They would use this url to get to OWA:

https://autodiscover.contoso.com/owa

Alternative 2

This alternative addresses users that may not be as open to learning a new URL for OWA, activesync, or other web services they may already have configured. Get 2 certs, one for mail.contoso.com and one for autodiscover.contoso.com. Mail.contoso.com cert goes on your default web site.

Next, create a new Web site from within IIS manager called AutoDiscover.

Right click, "Web Sites", choose "Web Site", make the description AutoDiscover, assign a new dedicated IP to this web site, use the default port of 80, don't enter a host header, for the Path, point to the same directory as your default web site

c:\inetpub\wwwroot

Also accept the default permissions.

Right click this web site, get properties, and go to Directory Security. Assign the autodiscover.contoso.com cert here.

From the Exchange Command Shell, run the following command:

New-AutodiscoverVirtualDirectory –WebSiteName AutoDiscover –BasicAuthentication $true –WindowsAuthentication $true

Note that the web site name parameter is case sensitive.

Go back to IIS manager, confirm the creation of your new AutoDiscover Virtual Directory. You can delete the autodiscover virtual directory from the default web site but it's not necessary and there is no additional risk by leaving it there. Finally, make sure external DNS have A or CNAME records for the following:

mail.contoso.com pointed to the external IP of Default Web Site
autodiscover.contoso.com pointed to the external IP of the AutoDiscover web site

Now that you have your cert installed, now what? Default certs issued by a MS certificate authority are valid for 2 years. The length of 3rd party certificate validity depends on your agreement with them. You can use the certificate manager addin for the local computer to renew these certs when the time comes or you can also repeat the steps above to get a new cert from another CA if you like. There are several ways to do this and the choice is yours to make as to how you accomplish the renewal.

Caveats

If you choose to install and use your own CA, you will have to ensure that clients, servers, and devices that access any secured site trust your CA as a root. This is actually a minor procedure but depending on the technical ability of your users or in large deployments it can become quite complicated.

Also, if you plan to incorporate an SSL accelerator or ISA server located in a DMZ you need to make sure that you export the private key of the certificate (pfx file). You can do this from the IIS administrator program once the certificate has been installed following the previous procedure.

Here are some links on that process:

299875 How to implement SSL in IIS
http://support.microsoft.com/default.aspx?scid=kb;EN-US;299875

915840 How to install root certificates on a Windows Mobile-based device
http://support.microsoft.com/default.aspx?scid=kb;EN-US;915840

297681 Error Message: This Security Certificate Was Issued by a Company that You Have Not Chosen to Trust
http://support.microsoft.com/default.aspx?scid=kb;EN-US;297681

332077 IIS 6.0: Computer must trust all certification authorities trusted by individual sites
http://support.microsoft.com/default.aspx?scid=kb;EN-US;332077

Certificates for Windows Mobile 5.0 and Windows Mobile 6
http://www.microsoft.com/technet/solutionaccelerators/mobile/maintain/SecModel/bd8cc6b6-0038-4e56-b1...

- Christopher Gregson, Jim Westmoreland

58 Comments
Not applicable
thnx all for this article. but i'm facing a weird situation. i have local CA and locally genreated certificate and itworks pretty fine with OWA and outlook Anywhere. but if i used pop3 and smtp account i get error " certificate chain processed but ended up in a root not trusted by trust provider" though root CA is installed and no probelm.
any body can help?
Not applicable
Hi MID00oo,

This seems to be a cert configuration error with either your client or the cert itself.  You should open a case because this is not the forum to discuss sensitive aspects of your configuration.

Regards,
Jim
Not applicable
I just want to reiterate Loren's sentiments- it is unbelievably complicated to configure SSL certs on Exchange 2007.  Why can’t Microsoft make this a simple process?
Not applicable
I'm having a helluva time trying to figure out how to get this certificate issue to work with Entourage 2004. We had to buy an SSL cert from godaddy in order for us to relieve the certificate issues that popped up when we installed Exchange 2007 (which is a horrible product, btw). When we launch Entourage, we get the root cert erro. the directions the help link gives are useless as it doesn't tell you how to import the cert from the Exchange server. ARGH!
Not applicable
Cameron,

Thanks for the feedback.  I have personally taken all of your feedback to not only the product group but also the VP in charge of Exchange.  They hear you.

Devin,

You'll need to install the root CA cert from go-daddy on the Mac.  I'm not a big Mac user so I can't provide steps but based on what you are reporting that appears to be the issue.  

Regards,

Jim
Not applicable
How about a REAL real world scenario that takes into account...1)more than one email domain to support, 2)more than one CAS server with an ExternalURL set for redundancy 3)multpile AD sites and 4)GROWTH...like what do I do when I need to add another email domain or CAS box? Should I be setting aside a nice chunk of corporate funds to buy all the certificates I'm going to need?

-Mecsi
Not applicable
Hey Mecsi,

There is going to be a whitepaper coming out very soon that should cover all of your questions, however I don't thing it is going to cover 'Hosted Exchange' or 'Hosted Messaging and Collaboration' (HMC).  

That being said, here are some brief answers to your questions:

1. Hosting (multiple emaill domains) is a huge topic that deserves it's own blog.  You should start here:

http://www.microsoft.com/technet/serviceproviders/hmc4/cmsu_hep_plan_conc_heprovisioning.mspx

2. Setting external URL for redundancy.  Redundancy doesn't come from Exchange in the CAS role, it comes from a NLB appliance or server and you should set the externalurl value to the external NLB address (if you want that farm of CAS server to proxy to other sites).  This is no different that E2K3 FE configuration.

3.  Multiple AD sites.  There are a lot of things you need to decide about this.  Do you want to proxy the requests from a central site or do you want to redirect users to CAS servers that are local to the mailbox sites?  If you want to proxy, configure your NLB but don't set the external URL.  If you want to redirect, set up NLB at each of the sites and configure the externalURL appropriately.

4. Growth.  If you follow the above and need to add an additional CAS box, then all you need to do is install the box and then add it to the NLB farm.  You'll re-use the cert on each of your CAS servers (remember the privatekeyexportable option?).

5. Adding another email domain (hosting).  See answer to 1.
Not applicable
I work for an agency of the State of Arizona. We use split DNS. We are a .gov on the outisde, and a .int on the inside. When I went to purchase a cert from Go Daddy with five subject alternate names:

webmail.azftf.gov
autodiscover.azfftf.gov
exch01
exch01.azftf.int
autodiscover.azftf.int

they said they will sell me a cert with the two .gov names, but said that they would not sell me one with the following three subject alternate names:

exch01
exch01.azftf.int
autodiscover.azftf.int

because they said that azftf.int is a valid top level domain that we don't own. azftf.int is not registered to anyone, but Go Daddy said they can't sell it to me. They further tell me that the only way I can get around this is to go to ICANN and request it from them.

If I install the cert with only the valid outside .gov names, all of my inside clients get two error messages every time they start Outlook. If I leave it with the original autogenerated cert, everyone coming in from the outside gets an error message that our cert isn't any good.

What now? I can't be the only operation that has this problem. Does this happen if your inside domain is .local?

JD