Thursday, March 25, 2010

Exchange 2010 SAN / UCC Certificates Installation

So, I recently completed a Exchange 2003 to Exchange 2010 migration for a mid-sized client. There were a (of course) couple of hiccups, which I will detail as soon as I get my stuff in order. With that said, here's what I learned about UCC certificates (more specifically GoDaddy UCC Certs).

THE BASICS:

This client had 2 separate DNS namespaces, the AD DNS was clientabc.local, the external DNS was clientabc.com. Internally the Exchange server was called cabc-exc-001, externally it was mail.clientabc.com. So let's get down to the 3 commandments.

  1. Any name by which your server will be accessed needs to be included on the certificate. In my case it was the following: mail.clientabc.com, cabc-exc-001.clientabc.local and finally clientabc.com
  2. Make the common name the server's external DNS alias, eg. mail.clientabc.com
  3. If you use the Autodiscover server (which you should, it RAWKS) you should add that to your UCC certificate. In my case: autodiscover.clientabc.com and autodiscover.clientabc.local
Generating the Certificate Request:

  1. Fire up your EMC and click "Manage Databases" on the homepage
  2. Click "Server Configuration", then click on "New Exchange Certificate" in the actions pane
  3. You'll be prompted for a "Friendly Name". This is purely descriptive, so call it something descriptive.
  4. On the "Domain Scope" dialog, do not select the "wildcard" option
  5. Next up is the "Exchange Configuration" menu. Check the boxes for the services you plan to secure. The wizard will recommend names, ensure they're correct for your environment, keeping in mind our 3 commandments
  6. On the next screen you'll be allowed to enter your Org info
  7. Et viola! Click on the "Browse" button to save all hard work from above into a .req file
  8. The contents of the .req file must now be submitted to your Certificate vendor of choice (I used Godaddy).
  9. Once you've completed that you should be able to download your certificate. Once that is done it's on the next section.
  10. It's of course also possible to do all of the above via the EMS. Using my example the command would be: "New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=NA, s=Erongo, l=Swakopmund, o=ClientABC, ou=Information Technology, cn=mail.clientabc.com" -DomainName cabc-exc-001.clientabc.local, autodiscover.clientabc.com, autodiscover.clientabc.local, clientabc.com -PrivateKeyExportable $True"
Installing Your UCC Certificate
  1. Download and save the certificate from your provider
  2. Now install any intermediary certificate, following instructions provided by your chosen CA. THIS IS CRUCIAL! Install this before you install your actual certificate.
  3. Now start up the EMC again and click "Manage Databases" on the homepage. Click "Server Configuration", then select your certificate.
  4. In the Action Pane, click on "Complete Pending Request"
  5. Browse to your downloaded certificate, and click Open, Complete and Finish.
  6. From the Action Pane, click "Assign Services to Certificate", select your server from the list and click Next
  7. Select the necessary services, then click Next, Assign and Finish
  8. Alternatively we can import our certificate with a EMS command: Import-ExchangeCertificate -path c:\certreq\mail.clientabc.com.crt -friendlyname "Your Friendly Name"
  9. Then assign the services like so: Enable-exchangecertificate –services IIS –thumbprint
To make sure everything takes, you can restart the Exchange Transport Service. And that, as they say, is that!