Microsoft has made some significant changes to the way we install certificates with Exchange 2007/2010. In 2003 you simple installed the certificate in IIS console and you were up with OWA securely in no time. in 2007/2010 it is a little different.

This article will focus on a simple deployment and will not take into account Unified Communications.

In Exchange 2010 we need to install what is called a Unified Communication Certificates (I know, it contradicts the above but we need it for this to work). You can get your typical web server certificate to work however you should buy a UC certificate. You can buy it from here: http://www.comodo.com/business-security/digital-certificates/unified-communications.php (there are limited places to buy UCC's).

A typical UC certificate will need to cater for 3 SAN attributes:

  1. Internal DNS name of the Exchange/OWA server
  2. External DNS name of the Exhange/OWA server
  3. autodiscover URL of your domain

Hence you will need 3 Subject Alternative Names (SAN's). So let's say our internal network was internal.local, our external domain was external.com and our exchange server was called exch01 the SAN's will be:

  1. exch01.internal.local
  2. exch01.external.com (assuming you wanted this to be your external DNS name, this would be your primary domain)
  3. autodiscover.external.com

You will first need to create a Certificate Signing Request (CSR) to get your UC Certificate. In 2007 the command is as follows (based on above SAN's):

New-ExchangeCertificate -GenerateRequest -Path c:\exch01_external_com.csr -KeySize 2048 -SubjectName "c=au, s=My State, l=My City, o=My ORG, ou=My Dept, cn=exch01.external.com" -DomainName exch01.external.com, exch01.internal.local, autodiscover.external.com -PrivateKeyExportable $True

In 2010 it will be as follows:

Set-Content -path "C:\exch01_external_com" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=au, s=My State, l=My City, o=My ORG, ou=My Dept, cn=exch01.external.com" -DomainName exch01.external.com, exch01.internal.local, autodiscover.external.com -PrivateKeyExportable $True) 

In general the fields are as follows:

  • Key Size - 2048 is the minimum for UC Certificate
  • Subject Name - Typical ORG details for the certificate including the common name
  • DomainName - The SAN's we mentioned above
  • PrivateKeyExportable - If you wish to export the key later on

Provide the certificate to your CA and when you get the certificate back, the process to install it is as follows (in Exchange Management Shell):

Import-ExchangeCertificate -Path "C:\exch01_external_com.cer"
Enable-ExchangeCertificate <thumprint> -Services:"POP,SMTP,IIS,IMAP"
Press (Y) for the warning

The above can also be done as a 1 liner to avoid having to enter the thumbprint:

 Import-ExchangeCertificate -Path "C:\exch01_external_com.cer" | Enable-ExchangeCertificate -Services:"POP,SMTP,IIS,IMAP"

If you get lost and can't find your thumbprint, simply run the following command to get all your Exchange certificates:

Get-ExchangeCertificate 

The above command will give you the partial information about the certificate.

If you wish to get the full information about the certificate then below is the command.

Get-ExchangeCertificate |fl