Exchange 2007 certificates
Hello,
I am trying to configure exchange 2007 (one single standalone server) to use the Private CA I just set up on my windows 2008 box. I am new to Windows Active Directory Certificate Services and am not sure how to configure exchange to use the certificate server instead of the self-signing one. My goal is to set up outlook anywhere for a client who does not want to buy a provider-based cert. Any help is appreciated. Thanks.
I am trying to configure exchange 2007 (one single standalone server) to use the Private CA I just set up on my windows 2008 box. I am new to Windows Active Directory Certificate Services and am not sure how to configure exchange to use the certificate server instead of the self-signing one. My goal is to set up outlook anywhere for a client who does not want to buy a provider-based cert. Any help is appreciated. Thanks.
flaphead_com
so i do this .. you need to add the internal cert authority to the trust cert authorities on each client machine
ASKER
ok, I am new to internal certs... I need to add a cert from the CA to each machine needing Outlook anywhere?
How do I add certs to machines?
How do I add certs to machines?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If my internet domain is mail.domain.net (domain name provided by an external source) and my internal AD domain is mail.domain.local what should I put as the subject name in the request so that the client computer can access exchange from outside or inside the network?
Internally your clients won't be using Outlook anywhere, they'll just be using MAPI so you need to set it to work for external access, so use 'mail.domain.net'
ASKER
hmm how would you set that up in outlook? When you choose to connect to an exchange server you would put in mail.domain.local.
then when you travel outside the network you need to change it to mail.domain.net?
then when you travel outside the network you need to change it to mail.domain.net?
You shouldn't have to configure it in Outlook if you have Autodiscover working. Assuming that it's not working you would need to configure a profile as you would normally pointing to your internal server name. Then go into 'More Settings', Click the 'Connection' tab, then click 'Exchange Proxy Settings', then enter in the external name settings. See the screenshot....
ASKER
ok so here is the code I am typing in exchange shell
New-ExchangeCertificate -generaterequest -subjectname "dc=local,dc=domain,cn=mai
New-ExchangeCertificate -generaterequest -subjectname "dc=local,dc=domain,cn=mai
Looks fine.
ASKER
ok I have the request file, how do I submit it to the Windows CA?
1. Navigate to https://<Internal PKI CA>/certsrv
2. Choose Request a Certificate.
3. Choose Advanced Certificate Request.
4. Choose Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
5. Select Web server as the certificate template.
6. Copy the text from the cert request file and paste into the window.
7. Submit the request.
7. Click to download the certificate and save it as c:\cert.cer
8. Import the certificate file using the following command from the EMC:
Import-ExchangeCertificate
9. Check the new certificate is listed as expected using:
get-exchangecertificate | fl
This will give you the thumbprint of the new certificate which is needed in the next step.
10. Allow the cert to be used for IIS and SMTP with the following command:
Enable-ExchangeCertificate
2. Choose Request a Certificate.
3. Choose Advanced Certificate Request.
4. Choose Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
5. Select Web server as the certificate template.
6. Copy the text from the cert request file and paste into the window.
7. Submit the request.
7. Click to download the certificate and save it as c:\cert.cer
8. Import the certificate file using the following command from the EMC:
Import-ExchangeCertificate
9. Check the new certificate is listed as expected using:
get-exchangecertificate | fl
This will give you the thumbprint of the new certificate which is needed in the next step.
10. Allow the cert to be used for IIS and SMTP with the following command:
Enable-ExchangeCertificate
ASKER
Alright, everything seems to be working. I am just dealing with an issue with clients connecting externally. It keeps asking for the password and never accepts it. I am looking into it, but it seems to have something to do with the check box "Only Connect to Proxy Servers that have this principal name in the certificate."
(connected internally)
everything works as expected
(connected externally)
When I uncheck the box and restart outlook, it connects just fine to Exchange. Eventually outlook resets this setting and I will have to change it again.
any ideas?
(connected internally)
everything works as expected
(connected externally)
When I uncheck the box and restart outlook, it connects just fine to Exchange. Eventually outlook resets this setting and I will have to change it again.
any ideas?
My apologies, I think I made an error when i looked at your certificate request. If you look at the certificate it probably states that it is issued to: mail.domain.local, it should be issued to mail.domain.net
Request a new certificate:
New-ExchangeCertificate -generaterequest -subjectname "dc=local,dc=domain,cn=mai
Once installed this should work.
Request a new certificate:
New-ExchangeCertificate -generaterequest -subjectname "dc=local,dc=domain,cn=mai
Once installed this should work.
ASKER
Oh that worked like a charm! Thanks so much!