Link to home
Create AccountLog in
Avatar of YourElement
YourElement

asked on

SSL Certificate for Exchange 2007 CAS NLB Cluster

We need to acquire an SSL certificate for our new Windows Network Load Balanced (NLB)/ Client Access Server pair (CAS) Exchange 2007 environment.

Here is the current configuration:
 
NLB Name:         NLB.domain.corp
CAS Node1:        HT-CA1.domain.corp      
CAS Node2:        HT-CA2.domain.corp
 
Public OWA address:
            https://Mail.domain.com/owa
 
I am not concerned with having users connect to OWA with the server name or with the local NBL name.  Also, we don't use Outlook anywhere therefore I do not expect to need a SAN or wildcard cert.

Is this correct?  What do I need to give verisign to get an ssl cert for the public owa site?


1.  Run this command from Exchange Management Shell and give req file to Cert company:

New-Exchangecertificate -domainname mail.company.com -Friendlyname OWAComapny -generaterequest:$true -keysize 1024
-path c:\certrequest.req -privatekeyexportable:$true subjectname "c=Com, o=Company, CN=mail"

2.  import cert via shell:
Import-ExchangeCertificate Path c:\certnew.p7b

3.  confirm import
Get-ExchangeCertificate -Thumbprint <thumbprint> | FL

4.  Enable New Cert
Enable-ExchangeCertificate Thumbprint <thumbprint> -Services IIS, POP, IMAP
Avatar of Paranormastic
Paranormastic
Flag of United States of America image

Sounds like you have already done most of the legwork here.  Once you do the generaterequest you should receive a certificate signing request (CSR) file - this is the only thing from the server that any Trusted Root issuer (e.g. Verisign, RapidSSL, Comodo, etc.) would need.  The rest of the information is just company information that they can use to validate that you are an actual corporate or personal entity (i.e. not a scammer) that you would fill out on their website (company name, physical address, responsible person(s), and so forth).  The SSL company would then go through whatever vetting process that they use to verify that information and then issue your certificate.  Verisign usually takes 2-3 days or so, other vendors will vary.
Avatar of YourElement
YourElement

ASKER

Thanks for your quick reply!

Does it matter that the public URL (https://Mail.domain.com/owa) is different than the actual load balanced URL (NLB.domain.corp)?

If I have DNS sending requests from the public to the internal URL, will the users get cert errors because the names don't match up?
ASKER CERTIFIED SOLUTION
Avatar of Paranormastic
Paranormastic
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Thanks for your help!!