YourElement
asked on
SSL Certificate for Exchange 2007 CAS NLB Cluster
We need to acquire an SSL certificate for our new Windows Network Load Balanced (NLB)/ Client Access Server pair (CAS) Exchange 2007 environment.
Here is the current configuration:
NLB Name: NLB.domain.corp
CAS Node1: HT-CA1.domain.corp
CAS Node2: HT-CA2.domain.corp
Public OWA address:
https://Mail.domain.com/owa
I am not concerned with having users connect to OWA with the server name or with the local NBL name. Also, we don't use Outlook anywhere therefore I do not expect to need a SAN or wildcard cert.
Is this correct? What do I need to give verisign to get an ssl cert for the public owa site?
1. Run this command from Exchange Management Shell and give req file to Cert company:
New-Exchangecertificate -domainname mail.company.com -Friendlyname OWAComapny -generaterequest:$true -keysize 1024
-path c:\certrequest.req -privatekeyexportable:$tru e subjectname "c=Com, o=Company, CN=mail"
2. import cert via shell:
Import-ExchangeCertificate Path c:\certnew.p7b
3. confirm import
Get-ExchangeCertificate -Thumbprint <thumbprint> | FL
4. Enable New Cert
Enable-ExchangeCertificate Thumbprint <thumbprint> -Services IIS, POP, IMAP
Here is the current configuration:
NLB Name: NLB.domain.corp
CAS Node1: HT-CA1.domain.corp
CAS Node2: HT-CA2.domain.corp
Public OWA address:
https://Mail.domain.com/owa
I am not concerned with having users connect to OWA with the server name or with the local NBL name. Also, we don't use Outlook anywhere therefore I do not expect to need a SAN or wildcard cert.
Is this correct? What do I need to give verisign to get an ssl cert for the public owa site?
1. Run this command from Exchange Management Shell and give req file to Cert company:
New-Exchangecertificate -domainname mail.company.com -Friendlyname OWAComapny -generaterequest:$true -keysize 1024
-path c:\certrequest.req -privatekeyexportable:$tru
2. import cert via shell:
Import-ExchangeCertificate
3. confirm import
Get-ExchangeCertificate -Thumbprint <thumbprint> | FL
4. Enable New Cert
Enable-ExchangeCertificate
Sounds like you have already done most of the legwork here. Once you do the generaterequest you should receive a certificate signing request (CSR) file - this is the only thing from the server that any Trusted Root issuer (e.g. Verisign, RapidSSL, Comodo, etc.) would need. The rest of the information is just company information that they can use to validate that you are an actual corporate or personal entity (i.e. not a scammer) that you would fill out on their website (company name, physical address, responsible person(s), and so forth). The SSL company would then go through whatever vetting process that they use to verify that information and then issue your certificate. Verisign usually takes 2-3 days or so, other vendors will vary.
ASKER
Thanks for your quick reply!
Does it matter that the public URL (https://Mail.domain.com/owa) is different than the actual load balanced URL (NLB.domain.corp)?
If I have DNS sending requests from the public to the internal URL, will the users get cert errors because the names don't match up?
Does it matter that the public URL (https://Mail.domain.com/owa) is different than the actual load balanced URL (NLB.domain.corp)?
If I have DNS sending requests from the public to the internal URL, will the users get cert errors because the names don't match up?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks for your help!!