Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Setting up SSL Certificates for Exchange 2010 and my website

Posted on 2010-11-28
Medium Priority
Last Modified: 2012-05-10
I am completely baffled by SSL certificates. I understand the concepts of trust and security but the actual installation and setup of certificates so that everybody is happy has always been confusing for me.

Here is my current setup:

      - Website  www.mycompany.com    hosted with 1and1.com's web hosting service

      - Windows 2008 Server on a business network with a dynamic IP
      - mycompany.dyndns.org        -     dynamically updated to point to my windows server

      - Microsoft Exchange Server 2010 running on the windows machine, with Outlook Web Access, IMAP, POP3 and Outlook Anywhere  (although OA is not working at the moment)
      - "remote.mycompany.com"      -      setup in 1and1 to have a CNAME pointing to mycompany.dnynds.org
      - "mail.mycompany.com"           -      setup as an HTTP redirect to https://remote.mycompany.com/owa"

Ideally what I would like to do is purchase one or more SSL certificates from 1and1.com (they offer "QuickSSL" certificates signed by GeoTrust) and set it up so that:

1) Users can connect to https://remote.mycompany.com/owa and not get an "untrusted certificate" warning
2) Users can connect to https://mycompany.com/* and use my website's online shopping cart system without getting "untrusted certificate" warnings (this website is hosted by 1and1)
3) Users can connect to outlook web access, and use "outlook anywhere" on their outlook without it failing with untrusted certificate warnings
4) Users can connect via IMAP and SMTP with SSL encryption, without it failing with untrusted certificate errors.

I really have no idea where to begin with this. I know when I buy a certificate from 1and1.com they'll probably hold my hand through the process of getting my actual www.mycompany.com website secured via SSL, but what about my Windows Server machine? I will need to install the certificate into IIS somehow and make sure everything lines up properly, but I don't really know what to do here.
Question by:Frosty555
  • 4
  • 2

Accepted Solution

tstritof earned 2000 total points
ID: 34226678

SSL certificates are just about names. The point is - if you want to enable access to a certain secured site or service by it's name and prevent that visitors get warned off by invalid certificate (or even worse - fail to connect) you need to:
1) Ensure that the certificate presented contains a Common Name (CN) or Subject Alternative Name (SAN) that exactly matches the name that was used to access the site or service.
2) Ensure that the certificate was issued by a trusted certificate authority.

For Exchange services you can even manage with a single name for all services, however it requires some manual configuration regarding SRV records in DNS so if you can avoid it - do so.

GeoTrust QuickSSL supports adding up to 3 SANs to a certificate issued for some CN. Also, I've seen them advertise a free www.mydomain.com added to certificate issued for mydomain.com but I guess that it won't extend the number of SANs they allow per quick SSL certificate.

So the main point here would be - what names will you need? As far as I can see - this will be needed:


and possibly

mail.mycompany.com (depending on what you set up your OA service to use)
www.mycompany.com (if someone uses that instead of mycompany.com when accessing your web shop)

So, we have 5 names, but can use only 4 in quick SSL.

One more thing I see as a problem is redirecting your mail.mycompany.com to remote.company.com/owa. This is something I dont suggest because you are headed for problems if you intend to use mail.mydomain.com as name for your mail server.

And since all your mail services and remote services point to a SINGLE server, there is no advantage in setting up different fqdns for them (pop.mydomain.com, mail.mydomain.com, remote.mydomain.com...) since you can't stuff them into a single QuickSSL anyway.

Another thing to consider is the possibility you'll be setting up some WSS sites or possibly a RDS Gateway on your server. When that happens you'll be looking at more names to add to your certificate. But at that point QuickSSL probably won't cut it anyway.

So this is what I suggest at this point:

Get a single QuickSSL certificate for the following Common Name:


and add following 3 SANs to it:


That way you will have a certificate that will:
1) Support your public web site and web shop (mydomain.com, www.mydomain.com)
2) Support autodiscover service for your Exchange
3) Support any public services you intend to publish from your Windows server as long as they use remote.mydomain.com to be accessed.

And if you find that your DNS provider would support SRV records under free setup that you have (mydomain.dyndns.org) you might even use some other name you WILL actually use instead of autodiscover name.


Expert Comment

ID: 34226689
Can you pleaes check whether the OWA virtual directory is holding right certificate. If it is then choose the right certificate.  

Expert Comment

ID: 34226695
Hi, just noticed it - sorry for me using "mycompany" and "mydomain" inconsistently but I hope you got the idea.

And to clear it up - you'll be publishing all the services from your server under remote.mydomain.com (SMTP, POP, IMAP, OWA, OA...).

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

LVL 31

Author Comment

ID: 34244207

That's a huge wealth of information you've given me. Thank you!

Now as far as the actual certificates inside of exchange goes - I have no idea what I ahve in there, it would be whatever Windows Server 2008 setup automatically which is almost certainly wrong. I've been accessing everything via the mycompany.dyndns.org name and only recently did the switch over to remote.mycompany.com, so I'm sure everything is messed up now.

So when I sign up for a Geotrust SSL certificate, I tell them all three names I want (mycompany.com, remote.mycompany.com, autodiscover.mycompany.com) and then it will create a single certificate that I can import into my server? Or is it 3 separate certificates?

Or, do I "create request" on the Server, send that info off to Geotrust QuickSSL, they send me back a response and I perform a "complete request" on the Server?

Is the "SSL Certificates" section of IIS Manager the only place I need to go to configure certificates for my Windows Server machine, or are there other places I have to go tweak settings?

Assisted Solution

tstritof earned 2000 total points
ID: 34246312

few pointers regarding QuickSSL first.

I purchased my GeoTrust QuickSSL certificate through dyndns.com and it turned out cheaper than going directly through GeoTrust. However, I have few other services active on dyndns.com (domain hosting, custom dns, backup mail server) so that might have influenced the pricing. I guess you'll have similar options with 1and1.com.

Regarding the certificate creation process on dyndns in the first step I had been prompted for a CN of the certificate (Common Name - the main name for which certificate is issued). In one of the next steps I had to create the request for the common name on my IIS and copy/paste the contents of the request file (it's basically a text file usually with .req extension) into the web order for. There was a detailed instruction on dyndns how to create a certificate request for different types of web servers. In one of the final steps (maybe even as part of request approval process on GeoTrust site) I was offered to add up to 3 SANs (subject alternative names). Make sure that you set up correct e-mail addresses for certificate request approval process or you'll hit problems at some point (would be best if the e-mail referenced the mydomain.com - that's one of the things that confirms your ties to the domain).

A single certificate should be created as a result of that. This is important because IIS normaly won't allow you to use multiple certificates on the same server (there may be a way to override this by directly modifying the metabase but I'm not sure).

Once the certificate had been issued I imported it to IIS by finalizing the previously started certificate request process - you have assumed this correctly.

I suggest you request the certificate for mycompany.com as CN and www.mycompany.com, remote.mycompany.com and autodiscover.mycompany.com as SANs. I don't know the insides of your hosted public site and web shop but if it can be accessed through either mycompany.com and www.mycompany.com it's better you include both names in the certificate to avoid problems.

The list of available certificates shows up in "SSL certificates" section. However, a specific certificate is chosen when you create a https host header (a binding) on IIS site. If you are only using IIS to access OWA and for other Exchange services then you won't have to specify host names in https bindings and you are good to go.

After you set things up it's good to do an iisreset before proceeding to Exchange configuration.

After this you should go to your Exchange and do few simple steps which are to:
- disable Outlook Anywhere on your CAS,
- reenable Outlook Anywhere on your CAS and specify the "remote.mycompany.com" as a name for client access

This will be the default name distributed by autodiscover service to Outlook clients and ActiveSync devices and is covered by your cert so there should be no problems. To make sure that Exchange uses this name and not something else run the following command in your Exchange Management Shell:


The output should look like this:
Name                Server              CertPrincipalName   TTL
----                ------              -----------------   ---
EXCH                                                        1
EXPR                                                        1
WEB                                                         1

Open in new window

If it doesn't use the Set-OutlookProvider command to clear the invalid values. Syntax for that is:

Set-OutlookProvider <provider> -CertPrincipalName $null

where provider may be EXCH, EXPR or WEB.

Regarding your DNS setup, I would do following:
- set up a CNAME autodiscover.mycompany.com to point to mycompany.dyndns.org
- remove the mapping you created for mail.mycompany.com

The final note is that autodiscover.mycompany.com isn't a must in your cert but sure minimizes problems. This is why:
- if your e-mail is someone@mycompany.com the autodiscovery first tries to locate the autodiscovery service at https://autodiscover.mycompany.com
- if that fails an attempt is made to locate the autodiscovery at mycompany.com - which in your case points to a wrong IP
- if that fails an attempt is made to locate the autodiscovery by address pointed to by SRV record in your DNS which might look something like this in your case:
_autodiscover._tcp.mycompany.com 60 IN SRV 10 0 443 remote.mycompany.com.
which tells that autodiscover service requests should be redirected to remote.mycompany.com (here's some basic info on SRV records). However, this option requires that your DNS provider supports SRV records (probably does) but also that your autodiscover partners (Outlook,...) know how to utilize them.

There are some other steps Outlook can perform in Exchange autodiscovery if that fails, but this is something I never rely on due to required certificate names.

Finally, remember that any secured service you'll be publishing (pop...) will have to refer to remote.mycompany.com for server name and may require some additional setup depending on your requirements.

And if you ever plan to put things like RDS Gateway on the same machine it will have to use the same name because this service is tied in with IIS (meaning that when you change the cert in either console it automatically changes the cert for the other service too - can cause some headaches until you realize that :)).

Well, that's about it - good luck with your setup!

LVL 31

Author Comment

ID: 34277113
tstritof: thank you very much for your help, you've made this a LOT clearer to me.

A little update - it turns out that 1and1.com does NOT give you the certificate that you purchase, and they do not support using the certificate anywhere other than their own servers. After a run around with their support, none of which are as knowledgable on the subject as you, they eventually just stopped returning my emails.

Pretty ridiculous when you think it's a standard Geotrust certificate that I can get anywhere, I expect to have access to the services I've purchased.

On your suggestion, I think I'm going to demand my money back from them and purchase one from DynDNS - since you've had success with that in the past.

Expert Comment

ID: 34277262
No problem. I can recommend DynDNS, they are one of the best on-line services I've ever used - easy to work with, 0 outages in 4 years and not bugging the customer with spam.


Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
In this article, I will demonstrate that how to do a PST migration from Exchange Server to Office 365. This method allows importing one single PST, or multiple PST's at once.
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question