senmohan
asked on
how to install new SSL certificate to exchange 2007
My exchange server 2007 is running in windows 2003 ent. i am trying to install verisign ssl (Trail)certificate for my OWA.
First i have removed the self signed certificate from the exchange server. then as per the document i have generated the CSR (Certificate Signing Request ) upon the request i have received the Certificate and imported using Shell cmdlets. Also i have install the certificate in the test cleint.( as per verisign for trail ssl certificate we have install a certificate in each browser). Unfortunately now i am getting page cannot display message.
First i have removed the self signed certificate from the exchange server. then as per the document i have generated the CSR (Certificate Signing Request ) upon the request i have received the Certificate and imported using Shell cmdlets. Also i have install the certificate in the test cleint.( as per verisign for trail ssl certificate we have install a certificate in each browser). Unfortunately now i am getting page cannot display message.
Hi dear,
Although this procedure talks about using private SSL-certificates, it is almost identical when using official SSL-certificates.
Here we go:
1) Start by creating a SSL-certificate request file from your Exchange Server Shell, by issuing the following powershell cmdlet
New-ExchangeCertificate GenerateRequest Path c:\webmail_pdt_be.csr KeySize 1024 SubjectName c=BE, s=East-Flanders, l=Sint-Niklaas, o=PDT IT Services, ou=IT, cn=webmail.pdtit.be PrivateKeyExportable $True
2) The above cmdlet generated a Certificate Request File (CSR)
3) Next, we will upload this CSR to our internal Certificate Authority (if it is not installed already, install it to your internal server using the Control Panel Add/Remove Windows Components (2003) or Server Feature Roles (2008)), by using the Certificate Web Enrollment Services. You could also use the regular Certificate Authority MMC, but I love the webinterface for its ease of use J
4) Browse to https://<servername>/certsrv
5) Select Request a Certificate
6) Next, Select Advanced Certificate Request
7) Next, Choose Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file&
8) Then, Paste the contents from your CSR into the first field (include the first and list lines as well!!!); Choose Web Server as certificate template.
9) Click Submit
10) Select Base 64 Encoded + Save
11) If you open the CSR-file to check some property fields, you will notice the subject (cn) refers to the URL to be used for your webmail access.
12) Just for backup reasons, click copy to file to save a copy of the certificate file to disk.
13) Now the certificate file is saved to disk, we can import it back into Exchange 2007, by using powershell cmdlet again:
Import-ExchangeCertificate path c:\documents and settings\administrator\des ktop\webma il.pdtit.b e.cer
14) We can validate the import by using the Certificate MMC (start / run / mmc / add certificate snap-in / select computer account / personal store)
15) The next step involves activating our newly imported certificate for Exchange Web Services; first, we start by getting a list of the current imported Exchange related certificates, by issuing the following cmdlet:
Get-ExchangeCertificate
The certificate of interest for us is the one with Subject webmail.pdtit.be
16) Next, we will link this certificate to the Exchange Web Services, by using the following cmdlet:
Enable-ExchangeCertificate Thumbprint 1B19& Services IIS, POP, IMAP
Now, Exchange OWA will be linked to the SSL-certificate webmail.pdtit.be;
If we get the properties of the SSL-certificate in our Exchange OWA logon page (by clicking on the key-lock in the right below corner), the following information is shown:
Which means the OWA-service is indeed listening to the SSL-certificate with common name webmail.pdtit.be
Although this procedure talks about using private SSL-certificates, it is almost identical when using official SSL-certificates.
Here we go:
1) Start by creating a SSL-certificate request file from your Exchange Server Shell, by issuing the following powershell cmdlet
New-ExchangeCertificate GenerateRequest Path c:\webmail_pdt_be.csr KeySize 1024 SubjectName c=BE, s=East-Flanders, l=Sint-Niklaas, o=PDT IT Services, ou=IT, cn=webmail.pdtit.be PrivateKeyExportable $True
2) The above cmdlet generated a Certificate Request File (CSR)
3) Next, we will upload this CSR to our internal Certificate Authority (if it is not installed already, install it to your internal server using the Control Panel Add/Remove Windows Components (2003) or Server Feature Roles (2008)), by using the Certificate Web Enrollment Services. You could also use the regular Certificate Authority MMC, but I love the webinterface for its ease of use J
4) Browse to https://<servername>/certsrv
5) Select Request a Certificate
6) Next, Select Advanced Certificate Request
7) Next, Choose Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file&
8) Then, Paste the contents from your CSR into the first field (include the first and list lines as well!!!); Choose Web Server as certificate template.
9) Click Submit
10) Select Base 64 Encoded + Save
11) If you open the CSR-file to check some property fields, you will notice the subject (cn) refers to the URL to be used for your webmail access.
12) Just for backup reasons, click copy to file to save a copy of the certificate file to disk.
13) Now the certificate file is saved to disk, we can import it back into Exchange 2007, by using powershell cmdlet again:
Import-ExchangeCertificate
14) We can validate the import by using the Certificate MMC (start / run / mmc / add certificate snap-in / select computer account / personal store)
15) The next step involves activating our newly imported certificate for Exchange Web Services; first, we start by getting a list of the current imported Exchange related certificates, by issuing the following cmdlet:
Get-ExchangeCertificate
The certificate of interest for us is the one with Subject webmail.pdtit.be
16) Next, we will link this certificate to the Exchange Web Services, by using the following cmdlet:
Enable-ExchangeCertificate
Now, Exchange OWA will be linked to the SSL-certificate webmail.pdtit.be;
If we get the properties of the SSL-certificate in our Exchange OWA logon page (by clicking on the key-lock in the right below corner), the following information is shown:
Which means the OWA-service is indeed listening to the SSL-certificate with common name webmail.pdtit.be
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes. With your solution i am done with my job. Thank a lot.
:) No Problem - ThanQ
http://technet.microsoft.c
In the technet article, look at the section 2 (Configure the URLs for Exchange services ) as that is your next step. It sounds like you may have step #1 done.