I recently had to renew my Exchange certificate as it expired. The original admin that set up this Exchange bought the previous certificate from Digi. I decided to go with Startcom (Free SSL) as I have used them once before in an OCS deployment and they worked out well. Exchange is a little different in that you must use Exchange management shell (PowerShell) during the process of installing a certificate for Outlook Web Access (OWA). I am going to cover 5 steps to installing a certificate Exchange for OWA.
To Open Exchange Management Shell: Go to START >>Programs>>Microsoft Exchange Server 2007 >> Exchange Management Shell
This is the management shell
Step1 – Generate Certificate Request in Powershell:
New-ExchangeCertificate -GenerateRequest -Path c:\myReq.csr -KeySize 1024 -SubjectName “c=GB, s=Middx, l=MyCompany, ou=IT, cn=mail.domain.com” -PrivateKeyExportable $True
Output should look like this:
Step2 – Get the certificate request approved by a Certificate Authority:
You will see the generated certificate request looks like this inside if you were to open it in notepad.
—–BEGIN NEW CERTIFICATE REQUEST—–
MIIC1zCCAkACAQAwWDEYMBYGA1UEAwwPbWFpbC5kb21haW4uY29tMQswCQYDVQQL
DAJJVDESMBAGA1UEBwwJTXlDb21wYW55MQ4wDAYDVQQIDAVNaWRkeDELMAkGA1UE
BhMCR0IwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKF7O/BKb+rssPXXIW+u
L7N27KspN2X+gkrMyn+71zhWW7BUeM3lj7+5naLESr/QQpWM3hYsCVC3d+o6wM1D
sIXxegXnMaHV5yDTF7gdxR6iAjfeS/a93H62TfEX0DC9SkzRw9LVzkiAs8+jmGoy
ojLzBVWv60L5LDA31SjBAlOpAgMBAAGgggE9MBoGCisGAQQBgjcNAgMxDBYKNi4w
LjYwMDEuMjBMBgkqhkiG9w0BCQ4xPzA9MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBTuYDxB1URFtcpEkOllua4nM9XxgzBdBgkrBgEEAYI3
FRQxUDBOAgEFDBlBSU9TUlYxLmFpb3RlY2hub2xvZ3kuYml6DB5BSU9URUNITk9M
T0dZXGFpb2FkbWluaXN0cmF0b3IMDnBvd2Vyc2hlbGwuZXhlMHIGCisGAQQBgjcN
AgIxZDBiAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEA
bgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkA
ZABlAHIDAQAwDQYJKoZIhvcNAQEFBQADgYEAWyGHU9CER/py0yH9WRa8hZT4aFF5
4Wbl6zdRGWvhSqeGEETk+BjKE+U5lPEip9pvJBcu2lA9XJjkn8m5A56uuUFkZtkx
ICTRS7MHLniC1iGEe6Td9WV/vWfZ6fV4+o4N2se2ciwq8iqEyB5DwDJugd0Y+Bb0
VG3w+SCsI+boN8k=
—–END NEW CERTIFICATE REQUEST—–
The Certificate Authority you have chosen will have you paste or upload this text or file to them and they will sign it. I recommend using Startcom (http://cert.startcom.org) as your certificate authority. They offer free and low cost certificates. They will give you a certificate that looks similar to above if you were to open it in notepad. You need to save the certificate the CA gives you on your server and be sure it ends with .cer.
Step3 – Import Cert through Exchange management shell or MMC certificate snap-in:
Now you need to import that .cer file in that you received from your Certificate Authority. Here is the syntax for doing this in Exchange Management shell.
Import-ExchangeCertificate -path e:\certificates\mail_domain_com.cer –FriendlyName “mail.domain.com”
You can also import this into your certificate store on the server using the traditional way. Go to start>>run>>type in mmc>>hit enter then click on file>>add or remove snap-ins>> select certificates
Once you click add the next window will appear
Click next and choose local computer account
Click finish then click ok. You will then need to expand Certificates>>Personal>>Certificates this is where you want to import the certificate you just received from your CA.
Once it is here Exchange management shell will see it with no problem. You can use Exchange management shell to import it or through MMC. In my opinion Exchange management shell is a faster way to import the certificate in.
Step4 – Ensure Exchange can see the newly imported certificate:
You can run the following command in Exchange management console to see what certificates it picks up.
Get-ExchangeCertificate
The output should look like the picture below. Take note of the thumbprint on the certificate you are going to use.
You can also output this data to a file using this command:
Get-ExchangeCertificate | fl | out-file –filePath c:\certificate_store.txt
This will put a file on your C: drive named certificate_store. You can open this file in notepad to reference the thumbprint of the certificates that are installed. You will need this thumbprint in the next step when enabling it for OWA or later if you need to remove the certificate. Command for removing a certificate using Exchange management shell:
Remove-ExchangeCertificate –thumbprint
Step5 – Enable it for OWA:
Ok you have generated a certificate request, got it approved by a CA, imported it into your certificates store on the Exchange server, and verified Exchange sees it in the store. Now you need to enable the certificate for OWA. This will tell Exchange to use this particular certificate for your OWA site. It has also been my experience that this works for ActiveSync, and Outlook Anywhere so you do not have to enable it separately for these services. The command to enable it for OWA is:
Enable-ExchangeCertificate -Thumbprint TYPETHUMBPRINTHERE -Services IIS
Test your OWA access and other Exchange services:
Your certificate install is complete you can now test your OWA, Outlook Anywhere, ActiveSync and more. Use Microsoft’s Exchange Connectivity website to test these: https://www.testexchangeconnectivity.com/