Procedure to configure mutual TLS on SBS 2008 ( Exchange 2007)

I need to create a mutual TLS connection with a client, Our SBS 2008 server has always used self signed certificates which I know will not work for this configuration, Can anyone walk me thru the process from the type of public exchange certificate I buy to installing the certificate to creating the exchange connector for the mutual connection. I'm assuming I would create a connector just for communications with this client, since the purpose of this exercise is their requirement.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
you can use your internal CA's certificates if you each import the others certificate.. Same with the other party they can use their internal CA certificate the stipulation is you must trust each others root certificate authority . Trusting another companies CA infastructure is more common than the majors (verisign, godaddy, rapidssl, et al) would want you to believe. It does mean planning your PKI settings and your PKI policies and you may only trust one subordinate CA and not others..  This requires a sharing of policy information between both companies

one example is @
hounschellAuthor Commented:

I spoke with the clients support team and they are requesting that we upgrade to a Public Certificate  (FYI, this is a connection to a bank) So lets proceed knowing that requirement.

This is their certificate info if it helps....
Client xyz is using a public VeriSign certificate signed by
VeriSign Class 3 Secure Server CA - G3
VeriSign Class 3 Public Primary Certification Authority - G5
David Johnson, CD, MVPOwnerCommented:
Ok then any cert will do.. Instructions on how to create a certificate request
for the Hub Transport Server

Enter the FQDN of your Hub Transport server if you'll be using mutual TLS to help secure Internet mail or if you'll be using a Hub Transport server for POP and IMAP client submission.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Simon Butler (Sembee)ConsultantCommented:
A regular UC type certificate will be fine. That way it will protect everything on the server, including ActiveSync, OWA, Outlook Anywhere as well as the SMTP traffic flow.

SBS 2008 needs the SSL certificate done in a certain way.

A cheap GoDaddy SSL certificate will be fine, that will still do the TLS that is required.

Once you have the SSL certificate in place, follow the instructions on Technet for Mutual TLS.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hounschellAuthor Commented:

Thanks this article looks quite helpful, I'll get started on this next week
hounschellAuthor Commented:
Thank you ,, cert install,, next I need to create a mutual connection between our server and thiers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.