locked
Create Exchange Certificate RRS feed

  • Question

  • hi!

    I still have problem with this issue (the certificate Authentication), ok in my organization i have use the Certifcate Authentication from Domain Controller
    Start --> Control Panel --> Add/Remove program --> Add/Remove Windows Components --> Certificate Services
    step1: I open the IIS under Mydomain --> Web site--> right click on Default web site --> Propoties --> Directory Security -->click on Server Certificate --> Assing new certificate.
    and than i got the new file name Cert.txt and it is store information of my new certificate than i login to my Primary domain by http://mydomain/certsrv --> Request Certificate --> Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. --> paste the information from my Cert.txt on Saved request --> submit.

    But it is not work for this case, I hope that you will give me some way to fine the solution for this problem and dose it work with Windows CA or not?

    Friday, July 1, 2011 2:02 AM

Answers

  • You would have to consult a Cisco or Fortigate forum, if you really need to do that.  You only need that if you are doing reverse proxy, a.k.a. web publishing, on a device like that in your DMZ.

    You might want to obtain a certificate from a public authority like Go Daddy (whom I've found to be the cheapest and their certs work fine) and use that instead of your internal certificate.  You can have only one certificate on most Exchange services.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    • Proposed as answer by Jeff Ren Friday, July 8, 2011 5:18 AM
    • Marked as answer by Jeff Ren Friday, July 22, 2011 8:24 AM
    Thursday, July 7, 2011 2:41 AM

All replies

  • What version of Exchange?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Friday, July 1, 2011 2:25 AM
  • The way you have mentioned is not correct way for generate certificate for Exchnage, Its for Web service. you must use SAN (subject alternative Name) when generate it.

    As ED said, please let us know which exchange version you are talking here.

    If you are talking about exchange 2007 then follow below article to generate new certificate for exchange. renew and new creation of certficate for Exchange is same proceedure.

    http://messagingschool.wordpress.com/2011/03/31/renew-certificates-in-exchange-2007-hub-cas/


    Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com
    • Proposed as answer by Jeff Ren Friday, July 1, 2011 7:03 AM
    • Unproposed as answer by Jeff Ren Friday, July 8, 2011 5:18 AM
    Friday, July 1, 2011 3:12 AM
  • hi

    thanks for your good answer and give me a link. I am current using Exchange 2007 and your step in your link good for me to create new certificate for exchange but i still don't understand :

    about  this point after I create new certrequest.txt

    3. Generate certificate in PKI CA console.

    Now, you need to login your internal PKI CA console and generate certificate using request file “certrequest.txt”. Generate certificate and save it.

    Note: There should not be left spaces when paste content into console.

    can you give me detail about this steps?

    Monday, July 4, 2011 7:24 AM
  • Do you have your own internal certificate authority?  If so, then you follow the steps you described in your original post:

    "i login to my Primary domain byhttp://mydomain/certsrv --> Request Certificate --> Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. --> paste the information from my Cert.txt on Saved request --> submit"


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Tuesday, July 5, 2011 12:28 AM
  • hi

    thanks for this case, I have still have one problem with Enable the Certificate for IIS, SMTP, POP3, and IMAP. and I had been import Certifacte successfully but i still not Enable.

    I use the following command

    Enable-ExchangeCertificate -Services IIS,SMTP,IMAP,POP -Thumbprint

    This is correct command or not please help me for this case, because it is not work with my EMS and the message Error is

    Enable-ExchangeCertificate : Missing an argument for parameter 'Thumbprint'. Sp
    ecify a parameter of type 'System.String' and try again.

     thanks for your support.


    Tuesday, July 5, 2011 1:07 AM
  • Run:

    Get-ExchangeCertificate

    From the list, copy the thumpbrint from the appropriate certificate and put it after the -Thumbprint property:

    Enable-ExchangeCertificate -Services IIS,SMTP,IMAP,POP -Thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

     


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Wednesday, July 6, 2011 3:44 AM
  • Hi!

    Thanks for your answer to me now i can install the certificate for exchange 2007 server for IIS, STMP,IMAP, and POP but i still have one problem relate to OWA. my client they are using the Internet for access the mailbox by owa, but they still get the untrused Certificate. So how can i deploy the Certificate to Encrypted for users access by OWA? and how we can deploy auto CA Encrypted when they long in to my mail server? 

    Wednesday, July 6, 2011 4:22 AM
  • When you run Get-ExchangeCertificate, what do you see?

    Do you have any web publishing device like an ISA or TMG server between the Internet and your Exchange server?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Wednesday, July 6, 2011 4:29 AM
  • hi!

    yes i have the Filewall between Internet to my Exchange server, So what should i do with my Filewall?

    Wednesday, July 6, 2011 6:15 AM
  • If the firewall just passes through the traffic, you don't need to do anything.  If your firewall acts as a reverse proxy, then it needs to have your public certificate installed.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Wednesday, July 6, 2011 2:56 PM
  • hi!

    so how i installed the public certificate ? if my firewall is the Hardware like cisco or fortigate? please give some idea about that..

    another way i try to export the certificate from my CA as the CA.p7b and then i import to internet explore under the Trusted Root Certification Authorities of the client's computer. And my client can connect by OWA over Internet has the connection ecrypted to the Server.

    So I don't want to import CA to everyone by over the internet that why i want to find some solution for this...

    Thanks in advance

    Thursday, July 7, 2011 1:08 AM
  • You would have to consult a Cisco or Fortigate forum, if you really need to do that.  You only need that if you are doing reverse proxy, a.k.a. web publishing, on a device like that in your DMZ.

    You might want to obtain a certificate from a public authority like Go Daddy (whom I've found to be the cheapest and their certs work fine) and use that instead of your internal certificate.  You can have only one certificate on most Exchange services.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    • Proposed as answer by Jeff Ren Friday, July 8, 2011 5:18 AM
    • Marked as answer by Jeff Ren Friday, July 22, 2011 8:24 AM
    Thursday, July 7, 2011 2:41 AM