Let’s face it – Certificate and PKI management can be confusing at the best of times. We all know that we need them for encryption. However, when creating them with Exchange, it doesn’t always go according to plan. The following are some symptoms of having incorrect Certificates:
•Users continually prompted for a password in Outlook
•Error messages in Outlook stating that the Certificate is invalid
•Nasty red bars in Internet Explorer or your chosen alternative browser
•Active-sync not able to connect
I like to keep this simple. In summary, create a single certificate which is able to be used on all of your CAS Servers and your ISA server for full internal and external functionality. While creating multiple unique certificates for each of the servers requiring a certificate is certainly possible, but is more prone to error.
Also, consider a scenario where you are using NLB on your CAS Servers. Which server will the client connect to? This is unknown at this time. So, whichever one it does connect to, the certificate should have the correct name in order not to receive an error.
So, question 1 you need to answer: By which name (internal/external; NetBIOS/host) will your clients access your CAS server? These are Subject Alternate Names (SAN) which have to be included within the certificate request in order not to receive annoying error messages in Outlook, OWA, Active Sync etc. Don’t forget Autodiscover… Also, it is pretty handy to include localhost as this will reduce errors when performing local testing on the Exchange CAS server. Here’s a few I would use if I were doing this for the robsilver.org domain:
•webmail.robsilver.org [Public FQDN]
•webmail [internal NetBIOS name]
r.org [internal FQDN]
•autodiscover [internal Autodiscover NetBIOS name]
g [external Autodiscover FQDN]
r.org [internal Server1 FQDN]
r.org [internal Server2 FQDN]
•server1 [internal Server1 NetBIOS Name]
•server2 [internal Server2 NetBIOS Name]
Once you have this, you are ready to go. It is very important to ensure that the very first SAN is the same as the Common Name (CN) of the certificate request or else ISA/TMG will not be able to publish the site correctly. Run the following on one of your CAS Servers:
New-ExchangeCertificate -generaterequest -subjectname “dc=org,dc=internal,o=RobS
g” -domainname webmail.robsilver.org, webmail, webmail.internal.robsilver
.org, autodiscover, autodiscover.robsilver.org
.org, server1, server2, localhost, 127.0.0.1 -PrivateKeyExportable $true -path c:\RobsilverCertReq.txt
Ok, with the Certificate Request, go to the CA Web Enrolment page and request the Certificate. This will result in a .cer file which we will use to import the certificate on the CAS Servers and to publish Outlook on our TMG/ISA servers. If you have any difficulty here, make sure that the Web Server Certificate Template has the servers in question under the security tab (MMC > Add Remove Snapin > Certificate Templates).
Next, copy the .cer file to your CAS Servers. Import it into the local computer certificate store:
•MMC > Add Remove Snapin > Certificates > COMPUTER
•Right click Personal and select Import
As an alternative, you can use the Exchange PS to do this:
-path robsilvercert.cer -friendlyname “RobSilver Incorporated”
As you may have multiple Certificates under personal for the computer, determine the correct cert with the following Exchange PS command:
Get-ExchangeCertificate -DomainName “RobSilver Incorporated”
You need to identify the correct certificate thumbprint at this stage so that we ensure that we use the correct certificate in the next stage.
Finally, to enable that new certificate for Exchange services, run the following:
-thumbprint <certificate-thumbprint> -services “IIS,POP,IMAP”
That’s your CAS done. On ISA/TMG, create the necessary Exchange Publishing rule and use the new cert in the listener.
Hope this helps.