THE BASICS:
This client had 2 separate DNS namespaces, the AD DNS was clientabc.local, the external DNS was clientabc.com. Internally the Exchange server was called cabc-exc-001, externally it was mail.clientabc.com. So let's get down to the 3 commandments.
- Any name by which your server will be accessed needs to be included on the certificate. In my case it was the following: mail.clientabc.com, cabc-exc-001.clientabc.local and finally clientabc.com
- Make the common name the server's external DNS alias, eg. mail.clientabc.com
- If you use the Autodiscover server (which you should, it RAWKS) you should add that to your UCC certificate. In my case: autodiscover.clientabc.com and autodiscover.clientabc.local
- Fire up your EMC and click "Manage Databases" on the homepage
- Click "Server Configuration", then click on "New Exchange Certificate" in the actions pane
- You'll be prompted for a "Friendly Name". This is purely descriptive, so call it something descriptive.
- On the "Domain Scope" dialog, do not select the "wildcard" option
- Next up is the "Exchange Configuration" menu. Check the boxes for the services you plan to secure. The wizard will recommend names, ensure they're correct for your environment, keeping in mind our 3 commandments
- On the next screen you'll be allowed to enter your Org info
- Et viola! Click on the "Browse" button to save all hard work from above into a .req file
- The contents of the .req file must now be submitted to your Certificate vendor of choice (I used Godaddy).
- Once you've completed that you should be able to download your certificate. Once that is done it's on the next section.
- It's of course also possible to do all of the above via the EMS. Using my example the command would be: "New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=NA, s=Erongo, l=Swakopmund, o=ClientABC, ou=Information Technology, cn=mail.clientabc.com" -DomainName cabc-exc-001.clientabc.local, autodiscover.clientabc.com, autodiscover.clientabc.local, clientabc.com -PrivateKeyExportable $True"
- Download and save the certificate from your provider
- Now install any intermediary certificate, following instructions provided by your chosen CA. THIS IS CRUCIAL! Install this before you install your actual certificate.
- Now start up the EMC again and click "Manage Databases" on the homepage. Click "Server Configuration", then select your certificate.
- In the Action Pane, click on "Complete Pending Request"
- Browse to your downloaded certificate, and click Open, Complete and Finish.
- From the Action Pane, click "Assign Services to Certificate", select your server from the list and click Next
- Select the necessary services, then click Next, Assign and Finish
- Alternatively we can import our certificate with a EMS command: Import-ExchangeCertificate -path c:\certreq\mail.clientabc.com.crt -friendlyname "Your Friendly Name"
- Then assign the services like so: Enable-exchangecertificate –services IIS –thumbprint
Nice blog, for those with a CAS Array (more than 1 CAS server), you would put casarray.clientabc.local instead of the direct server, cabc-exc-001.clientabc.local, into the certificate. Mark the certificate so it can be exported and import it into each CAS server in the array.
ReplyDeleteOops, disregard my comment on casarray for the certificate! Done an all nighter on Exchange and not thinking straight!
ReplyDeleteNo worries, glad you found my blog useful!
ReplyDeleteThanks for the blog post.. Good looking out!
ReplyDelete