none
OWA Exchange 2007 over HTTPS question

    Question

  •  

    How can I set up my server so that the secure certificate is valid?  Do i need to register something?
    Thursday, September 20, 2007 9:15 PM

All replies

  • Hi Robert,

     

    The easiest way is to configure an internal Certificate Authority on a DC configured as an enterprise root CA. On the Client Access server you can then run the New-ExchangeCertificate command and the Import-ExchangeCertificate command.

    One example forum post on the topic on the Exchange Certificate request is here :

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2169029&SiteID=17

    And here is an older article including the setting up of an internal CA

    http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

     

    Cheers,

    Rhys

    Friday, September 21, 2007 12:54 PM
  •  

    EXCELLENT!


    I'll try this a little later and let you know how it turns out.

    Friday, September 21, 2007 6:08 PM
  • Ok... well it looks like i need to get a little more help.  As I mentioned already this is an Exchange 2007 server, this server was transitioned to from an Exchange 2000 server.

     

    Prior to my being with the organization all IT support was handled by a consulting firm.  The public OWA site has always been: mail.domain.com, while internally the server had the name of Exchange.

     

    The new server is called Exchg2k7, and I adjusted all IP addresses and DNS aliases to reflect the change.  I currently have the SSL requirement disabled so people don't see an error message with the certificate.  OWA is working fine right now over HTTP traffic.

     

    I installed the Cert services onto a Member Server, and went through the process of creating the certificate...

     

    But in the second document you sent over it says that you need to make sure that you use the name that external users will use when connecting to the site.  Does this mean I should use mail.domain.com or should I use excgh2k7.domain.com???

    Friday, September 21, 2007 9:41 PM
  • Hi Robert,

     

    The relevant part of the second link was more the setup of the CA. The certificate requesting in Exchange Server 2003 was different to what you will require in Exchange 2007.

     

    When you setup the Exchange Server 2007 certificate you will run the following on the Client Access Server hosting OWA:

    Code Snippet
    New-ExchangeCertificate -generaterequest:$true -subjectname "c=AU,dc=com,dc=domain,o=Your Organisation name,cn=mail.domain.com" -DomainName mail.domain.com,exchg2k7exchg2k7.domain.com,domain.com, autodiscover.domain.com -path c:\certrequest_exchg2k7.req

     

     

     

    Note: This includes the domain names such as Autodiscover.domain.com (used for autodiscover service) and the Domain.com (used for TLS if the certificate is enabled for the SMTP service) which you may or may not need.

    The important aspects of this command are the Common Name (CN) which is the main FQDN you want to use, and the fact that the first name listed in the Domainname parameter matches this CN.

    The certificates for Exchange 2007 take advantage of being able to validate multiple names on the certificate. The names that are listed in the DomainName parameter are included in the certificate in the Subject Alternative Name (SAN) field.

     

    In your case you can make this certificate request and put in exchg2k7 and exchg2k7.domain.com and mail.domain.com and when a user connects to one of these URL's, the certificate will be validated. This does assume that the client you are connecting with trusts the certificate chain which is why I had suggested using an internal Enterprise Root CA which is automatically trusted on client computers within your domain. Technically speaking you do not have to put in the Netbios names in to the certificate request, just the domain paths that you want to be validated. 

    As there are issues with publishing Exchange services using ISA Server with certificate with SAN fields, I would recommend using the external name (mail.domain.com) in the CN and also first DomainName fields.

     

    You can follow this article for the other information:

    http://technet.microsoft.com/en-us/library/aa995942.aspx

     

    After running the New-ExchangeCertificate command you will need to do the following:

    • Go to the internal CA Web enrollment - http://CertAuth.domain.com/certsrv
    • Request Cert, Advanced, Submit a certificate request using a base-64-encoded file
    • Copy the contents of the c:\certrequest_exchg2k7.req  file and paste in to the Saved Request window.
    • Submit. Save .cer file back to server
    • From Client Access Server that generated certificate request
    • Code Snippet
      Import-ExchangeCertificate -path CertificateJustRequested.cer -friendlyname "Webmail Certificate Description" | enable-exchangecertificate -services "IIS,SMTP"

       

       

    There can be other intricacies in providing these services depending on how the mail.domain.com name is resolved by clients inside and outside your organisation, whether you are using ISA, etc.

     

    Hope that helps.

     

    Cheers,

    Rhys

    Monday, September 24, 2007 3:10 AM
  • Rhys,

     

    Thanks for the response.  I'll give this a go and let you know how it turns out.

     

    Monday, September 24, 2007 4:32 PM
  • Hi Robert,

    does the Certificate Authority that I must install for client access server need a license ?

    Regards,

    Fadi

     

    Saturday, April 19, 2008 8:34 AM
  • If you have connections traversing internet, A third party CA is required & yes it comes with a price.
    Sunday, November 15, 2009 6:16 AM
  • Please have a look at this.

    ·         How to Obtain a Server Certificate from a Certification Authority [ http://technet.microsoft.com/en-us/library/bb125165.aspx ]

    • Proposed as answer by net_tech Monday, October 18, 2010 5:41 PM
    Sunday, November 15, 2009 1:35 PM
  • I know this is a very late answer, but why don't you add your invalid cert in to your Trusted Root Certification Authorities Store instead of Personal.

    This way your computer trusts the issuer of the cert and you don't get the warning.

     

    Monday, October 18, 2010 5:44 PM