Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Setting up SSL Certificates for Exchange 2010 and my website

Posted on 2010-11-28
Last Modified: 2012-05-10
I am completely baffled by SSL certificates. I understand the concepts of trust and security but the actual installation and setup of certificates so that everybody is happy has always been confusing for me.

Here is my current setup:

      - Website  www.mycompany.com    hosted with 1and1.com's web hosting service

      - Windows 2008 Server on a business network with a dynamic IP
      - mycompany.dyndns.org        -     dynamically updated to point to my windows server

      - Microsoft Exchange Server 2010 running on the windows machine, with Outlook Web Access, IMAP, POP3 and Outlook Anywhere  (although OA is not working at the moment)
      - "remote.mycompany.com"      -      setup in 1and1 to have a CNAME pointing to mycompany.dnynds.org
      - "mail.mycompany.com"           -      setup as an HTTP redirect to https://remote.mycompany.com/owa"

Ideally what I would like to do is purchase one or more SSL certificates from 1and1.com (they offer "QuickSSL" certificates signed by GeoTrust) and set it up so that:

1) Users can connect to https://remote.mycompany.com/owa and not get an "untrusted certificate" warning
2) Users can connect to https://mycompany.com/* and use my website's online shopping cart system without getting "untrusted certificate" warnings (this website is hosted by 1and1)
3) Users can connect to outlook web access, and use "outlook anywhere" on their outlook without it failing with untrusted certificate warnings
4) Users can connect via IMAP and SMTP with SSL encryption, without it failing with untrusted certificate errors.

I really have no idea where to begin with this. I know when I buy a certificate from 1and1.com they'll probably hold my hand through the process of getting my actual www.mycompany.com website secured via SSL, but what about my Windows Server machine? I will need to install the certificate into IIS somehow and make sure everything lines up properly, but I don't really know what to do here.
Question by:Frosty555
  • 4
  • 2

Accepted Solution

tstritof earned 500 total points
ID: 34226678

SSL certificates are just about names. The point is - if you want to enable access to a certain secured site or service by it's name and prevent that visitors get warned off by invalid certificate (or even worse - fail to connect) you need to:
1) Ensure that the certificate presented contains a Common Name (CN) or Subject Alternative Name (SAN) that exactly matches the name that was used to access the site or service.
2) Ensure that the certificate was issued by a trusted certificate authority.

For Exchange services you can even manage with a single name for all services, however it requires some manual configuration regarding SRV records in DNS so if you can avoid it - do so.

GeoTrust QuickSSL supports adding up to 3 SANs to a certificate issued for some CN. Also, I've seen them advertise a free www.mydomain.com added to certificate issued for mydomain.com but I guess that it won't extend the number of SANs they allow per quick SSL certificate.

So the main point here would be - what names will you need? As far as I can see - this will be needed:


and possibly

mail.mycompany.com (depending on what you set up your OA service to use)
www.mycompany.com (if someone uses that instead of mycompany.com when accessing your web shop)

So, we have 5 names, but can use only 4 in quick SSL.

One more thing I see as a problem is redirecting your mail.mycompany.com to remote.company.com/owa. This is something I dont suggest because you are headed for problems if you intend to use mail.mydomain.com as name for your mail server.

And since all your mail services and remote services point to a SINGLE server, there is no advantage in setting up different fqdns for them (pop.mydomain.com, mail.mydomain.com, remote.mydomain.com...) since you can't stuff them into a single QuickSSL anyway.

Another thing to consider is the possibility you'll be setting up some WSS sites or possibly a RDS Gateway on your server. When that happens you'll be looking at more names to add to your certificate. But at that point QuickSSL probably won't cut it anyway.

So this is what I suggest at this point:

Get a single QuickSSL certificate for the following Common Name:


and add following 3 SANs to it:


That way you will have a certificate that will:
1) Support your public web site and web shop (mydomain.com, www.mydomain.com)
2) Support autodiscover service for your Exchange
3) Support any public services you intend to publish from your Windows server as long as they use remote.mydomain.com to be accessed.

And if you find that your DNS provider would support SRV records under free setup that you have (mydomain.dyndns.org) you might even use some other name you WILL actually use instead of autodiscover name.


Expert Comment

ID: 34226689
Can you pleaes check whether the OWA virtual directory is holding right certificate. If it is then choose the right certificate.  

Expert Comment

ID: 34226695
Hi, just noticed it - sorry for me using "mycompany" and "mydomain" inconsistently but I hope you got the idea.

And to clear it up - you'll be publishing all the services from your server under remote.mydomain.com (SMTP, POP, IMAP, OWA, OA...).

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 31

Author Comment

ID: 34244207

That's a huge wealth of information you've given me. Thank you!

Now as far as the actual certificates inside of exchange goes - I have no idea what I ahve in there, it would be whatever Windows Server 2008 setup automatically which is almost certainly wrong. I've been accessing everything via the mycompany.dyndns.org name and only recently did the switch over to remote.mycompany.com, so I'm sure everything is messed up now.

So when I sign up for a Geotrust SSL certificate, I tell them all three names I want (mycompany.com, remote.mycompany.com, autodiscover.mycompany.com) and then it will create a single certificate that I can import into my server? Or is it 3 separate certificates?

Or, do I "create request" on the Server, send that info off to Geotrust QuickSSL, they send me back a response and I perform a "complete request" on the Server?

Is the "SSL Certificates" section of IIS Manager the only place I need to go to configure certificates for my Windows Server machine, or are there other places I have to go tweak settings?

Assisted Solution

tstritof earned 500 total points
ID: 34246312

few pointers regarding QuickSSL first.

I purchased my GeoTrust QuickSSL certificate through dyndns.com and it turned out cheaper than going directly through GeoTrust. However, I have few other services active on dyndns.com (domain hosting, custom dns, backup mail server) so that might have influenced the pricing. I guess you'll have similar options with 1and1.com.

Regarding the certificate creation process on dyndns in the first step I had been prompted for a CN of the certificate (Common Name - the main name for which certificate is issued). In one of the next steps I had to create the request for the common name on my IIS and copy/paste the contents of the request file (it's basically a text file usually with .req extension) into the web order for. There was a detailed instruction on dyndns how to create a certificate request for different types of web servers. In one of the final steps (maybe even as part of request approval process on GeoTrust site) I was offered to add up to 3 SANs (subject alternative names). Make sure that you set up correct e-mail addresses for certificate request approval process or you'll hit problems at some point (would be best if the e-mail referenced the mydomain.com - that's one of the things that confirms your ties to the domain).

A single certificate should be created as a result of that. This is important because IIS normaly won't allow you to use multiple certificates on the same server (there may be a way to override this by directly modifying the metabase but I'm not sure).

Once the certificate had been issued I imported it to IIS by finalizing the previously started certificate request process - you have assumed this correctly.

I suggest you request the certificate for mycompany.com as CN and www.mycompany.com, remote.mycompany.com and autodiscover.mycompany.com as SANs. I don't know the insides of your hosted public site and web shop but if it can be accessed through either mycompany.com and www.mycompany.com it's better you include both names in the certificate to avoid problems.

The list of available certificates shows up in "SSL certificates" section. However, a specific certificate is chosen when you create a https host header (a binding) on IIS site. If you are only using IIS to access OWA and for other Exchange services then you won't have to specify host names in https bindings and you are good to go.

After you set things up it's good to do an iisreset before proceeding to Exchange configuration.

After this you should go to your Exchange and do few simple steps which are to:
- disable Outlook Anywhere on your CAS,
- reenable Outlook Anywhere on your CAS and specify the "remote.mycompany.com" as a name for client access

This will be the default name distributed by autodiscover service to Outlook clients and ActiveSync devices and is covered by your cert so there should be no problems. To make sure that Exchange uses this name and not something else run the following command in your Exchange Management Shell:


The output should look like this:
Name                Server              CertPrincipalName   TTL
----                ------              -----------------   ---
EXCH                                                        1
EXPR                                                        1
WEB                                                         1

Open in new window

If it doesn't use the Set-OutlookProvider command to clear the invalid values. Syntax for that is:

Set-OutlookProvider <provider> -CertPrincipalName $null

where provider may be EXCH, EXPR or WEB.

Regarding your DNS setup, I would do following:
- set up a CNAME autodiscover.mycompany.com to point to mycompany.dyndns.org
- remove the mapping you created for mail.mycompany.com

The final note is that autodiscover.mycompany.com isn't a must in your cert but sure minimizes problems. This is why:
- if your e-mail is someone@mycompany.com the autodiscovery first tries to locate the autodiscovery service at https://autodiscover.mycompany.com
- if that fails an attempt is made to locate the autodiscovery at mycompany.com - which in your case points to a wrong IP
- if that fails an attempt is made to locate the autodiscovery by address pointed to by SRV record in your DNS which might look something like this in your case:
_autodiscover._tcp.mycompany.com 60 IN SRV 10 0 443 remote.mycompany.com.
which tells that autodiscover service requests should be redirected to remote.mycompany.com (here's some basic info on SRV records). However, this option requires that your DNS provider supports SRV records (probably does) but also that your autodiscover partners (Outlook,...) know how to utilize them.

There are some other steps Outlook can perform in Exchange autodiscovery if that fails, but this is something I never rely on due to required certificate names.

Finally, remember that any secured service you'll be publishing (pop...) will have to refer to remote.mycompany.com for server name and may require some additional setup depending on your requirements.

And if you ever plan to put things like RDS Gateway on the same machine it will have to use the same name because this service is tied in with IIS (meaning that when you change the cert in either console it automatically changes the cert for the other service too - can cause some headaches until you realize that :)).

Well, that's about it - good luck with your setup!

LVL 31

Author Comment

ID: 34277113
tstritof: thank you very much for your help, you've made this a LOT clearer to me.

A little update - it turns out that 1and1.com does NOT give you the certificate that you purchase, and they do not support using the certificate anywhere other than their own servers. After a run around with their support, none of which are as knowledgable on the subject as you, they eventually just stopped returning my emails.

Pretty ridiculous when you think it's a standard Geotrust certificate that I can get anywhere, I expect to have access to the services I've purchased.

On your suggestion, I think I'm going to demand my money back from them and purchase one from DynDNS - since you've had success with that in the past.

Expert Comment

ID: 34277262
No problem. I can recommend DynDNS, they are one of the best on-line services I've ever used - easy to work with, 0 outages in 4 years and not bugging the customer with spam.


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In-place Upgrading Dirsync to Azure AD Connect
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question