Solved

Installing Basic SSL certificate in IIS for OWA

Posted on 2009-04-14
12
801 Views
Last Modified: 2012-05-06
I was hoping that someone could point me in the right direction on this.  I do not have much background on security certificates, so alot of this is new to me.

I have purchased a Basic SSL certificate for our Exchange 2007 OWA.  The credentials have been verified, and I have received the certificates from the 3rd party authority.  However, I'm not sure what steps I need to go through to successfully install this certificate.  After doing some online research, I have found that I needed to create a CSR beforehand.  However, I never created this CSR because I didn't know that I needed to.  I see that Exchange 2007 has a self-signed cert being used, but how do I go about replacing this with the new cert?  When I open IIS, go to properties of Default WebSite, click Directory Security and Server certificate, I have the 2 options of Renew or Remove certificate.  If I click Remove, and then go back into Server certificate, I see all of the options available now.  If I click "Assign an existing certificate", my only option is the default Exchange 2007 cert.  If I click "Create a new certificate", I go through the steps successfully, but then it asks for the response from the 3rd party (a .cer I believe).  However, the only files that they sent me were .crt files.

Any insight?
0
Comment
Question by:david_greer
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 12

Expert Comment

by:ryan80
ID: 24139366
you have to provide the information to the SSL provider that was used in the CSR.  it is not a big deal if you have to recreate it.  Do a CSR request on the Exchange server.  Use that information to resissue the SSL. Once you get back the certificate, the option to install the SSL that was created from the CSR will be there.  

Once it is installed, you can go to the default website in IIS and select that SSL cert.  make sure that you enable SSL for the OWA virtual directory as well.

You can also check out this website for more in depth directions:

http://www.petri.co.il/configure_ssl_on_owa.htm
0
 

Author Comment

by:david_greer
ID: 24139585
Okay.  I have gone through the wizard of creating the CSR.  Do I email them this file, or do I just go to their website and click "Reissue" on our certificate?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24140003
As this is Exchange 2007, you do not use IIS to request and process the SSL request. It needs to be done through the Exchange Management Shell.
Furthermore you really need a SAN/UC certificate, not a single name certificate for Exchange to work correctly.
I have outlined everything that you need to do on my blog here:
http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

Simon.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 24140014
it should probably be reissue.  There should be a place that you can reenter the info.  
0
 
LVL 12

Expert Comment

by:ryan80
ID: 24140025
sorry, I was thinking of Exchange 2003.  Mestha know 1000 times more than me, so listen to him.
0
 

Author Comment

by:david_greer
ID: 24142367
Okay.  Thank you for the replies.  However, we have already purchased the certificate and paid ahead for 4 years.  We can't purchase a SAN/UC certificate since we already have this basic cert.  Also to note; we are not running Server 2008 and do not plan to use Outlook Anywhere.  

Is there anything that I can do since this blog relates to using SAN/UC certificates?
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 65

Expert Comment

by:Mestha
ID: 24142527
Tell the vendor you bought the wrong thing and ask them to refund it.
You will not be the first or the last to buy the wrong certificate type. SSL certificates are the major pain point with Exchange 2007.

It is possible to use Exchange 2007 with a single name SSL certificate but your external DNS host MUST support SRV records. If they do not then you need to change the certificate as they are not compatible.

Simon.
0
 

Author Comment

by:david_greer
ID: 24142624
Okay.........I have just emailed our DNS host provider and asked them if they provide support for these SRV records.  If they DO..........where do I go from there?
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24142944
A lot of DNS providers do not support SRV records.

If they do, then I wrote this guide on making the change.
http://www.amset.info/exchange/singlenamessl.asp

Simon.
0
 

Author Comment

by:david_greer
ID: 24198792
Sorry about the long wait Mestha.  Things have been very hectic here lately.

At any rate, I have confirmed with our DNS provider that they do support SRV records.  I will try to now go through your article and get this setup.
0
 

Author Closing Comment

by:david_greer
ID: 31569958
Thank you for the article
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24271512
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now