Exchange & CA

Dhiraj Mutha
Dhiraj Mutha used Ask the Experts™
on
Hi Experts,

I am learning Exchange 2010 and have setup a lab on my home system. On one server Installed a DC with integrated DNS, on another installed Exchange 2010 with HT, CAS & MB roles. Everything is working, the OWA shows the certificate error. So taught of testing the Certificate Services as well, so installed an another Windows 2008 server with CA services (Enterprise Root).

Can someone help in step by step procedure in configuring the Certificate for Exchange 2010. What I dont want is the certificate error in OWA.

All the servers are Windows 2008. Domain name is 'Kida.com' and internal owa link is 'https://inblrex01.kida.com/owa'. Dont have a external link, but would like to configure that as well - i.e the certificate error should not come on IE if used from external internet.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:

To eliminate certificate error you should manually install the certificate to the ' Trusted root certification authorities store'

http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
Dhiraj MuthaLevel D

Author

Commented:
Do we have to do that in Exchange server?
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
CA 2008
http://technet.microsoft.com/en-us/library/dd362655.aspx

This is for CA 2003 with SANs added as exchange certificate should have 2-3 SANs added.(i.e. autodiscover.domain.com, computername.domain.com, externalname.domain.com)
http://blogs.microsoft.co.il/blogs/roneng/archive/2008/03/20/create-certificate-for-exchange-2007-servers-using-windows-ca.aspx
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
You have to import in exchange and clients as well.
If client PC's ' Trusted root certification authorities store' doesn't have this certificate then 'outlook anywhere' will not work
Dhiraj MuthaLevel D

Author

Commented:
These no ware shows on how to configure that on Exchange. I have gone through these documents, and I dont see it working properly.
Dhiraj MuthaLevel D

Author

Commented:
But I cannot sit and import these certificates on all the clients, right? If the client is in Net cafe (External Internet) then how will that work?

I am sure there are some configurations on Exchange server and CA and ther integration.
EE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
Commented:
did you issue the certificate?
If not please generate CSR using the link below
https://www.digicert.com/easy-csr/exchange2010.htm

issue certificate using the link below
http://technet.microsoft.com/en-us/library/ff625722%28WS.10%29.aspx

Detailed video
http://www.msexchange.org/player.asp?AYGl5HgC
Dhiraj MuthaLevel D

Author

Commented:
Ok. I will check this out today and will update you.
If you are using external clients, save the hassle and invest in a cert which allows you to put the SANs you need.

http://technet.microsoft.com/en-us/library/bb125165.aspx?ppud=4

You will not have to worry about clients having the Certificate chain correct, you just need to ensure the third party cert is automatically trusted by Microsoft clients.
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
http://blogs.msexchange.org/walther/2010/05/18/certificate-warning-when-using-self-signed-exchange-certficate-and-outlook-2010/

I suggest you to buy certificate from a  third party CA
Godaddy (cheaper one)
Digicert
Dhiraj MuthaLevel D

Author

Commented:
This is just for learning. This is a Home lab, and dont want to cut my pocket for that.
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
What is this statement
'But I cannot sit and import these certificates on all the clients, right? If the client is in Net cafe (External Internet) then how will that work?'
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Please let us know your purpose of this.
one or the way we would be able to help you.

Since this is just test lab go with the exchange generated sans cert. To test external you will HAVE to import the certs - that is why in the real world you would always buy a third party cert !!
Dhiraj MuthaLevel D

Author

Commented:
This is what I was looking for. Thanks a lot.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial