Implement SSL certificate into exchange 2003

Happy New Year for Everyone,

I would like to ask some details about how to install an SSL certificate in an Exchange 2003 environment? Please start the explanation from the very beginning because I haven't bought the cert. yet.
My server handles two domain names so I don't really know how should I implement the cert.
P.s.: In what way would be this SSL cert. effect on my mobile users?

Thanks for the answer in advance.
Cheers
agriboy1980Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

R--RCommented:
You have to create a CSR.
Submit the CSR to CA.
Get the certificate.
Install the certificate.

How to generate CSR by following https://www.geocerts.com and then install it following https://support.globalsign.com

https://www.geocerts.com/csr/iis_6
https://support.globalsign.com/customer/portal/articles/1227295
MaheshArchitectCommented:
You need to generate custom certificate request if you are using multiple smtp domains in exchange by using below article

http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx

Then you need to import that cert in IIS as shown in below article
http://www.youtube.com/watch?v=HMVaYehBwC8

Mahesh
agriboy1980Author Commented:
Thanks for the quick reply.
I have a few questions:
1., I have to create this SSL because one of my mobile user (Nokia Windows phone) has an issue of setting up the e-mail account on that device. Is this the thing what is going to help on that?

2., Can I use Godaddy.com to generate the SSL for based on CSR?

3., My server has been configured for hosting the "domain.com" domain. Later on I configured it to host another one called "domain.cz" .  Do I need only one SSL or two in this case? And the method you mentioned above is totally suitable for my situation?
Thanks
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

agriboy1980Author Commented:
Thanks mate, I will try it and post results here :)
MaheshArchitectCommented:
It depends how many smtp domains you are using
Even if you are using multiple smtp domains, you can have single Subject Alternative certificate (SAN) which will contains all DNS host names
Mobile users, while connecting to exchange server, the server host name they are connecting to must be in certificate to work properly (This will be external hostname of Exchanges server)

You can use any 3rd party public CA to generate CSR including Go Daddy

Mahesh
Simon Butler (Sembee)ConsultantCommented:
On Exchange 2003, the fact that you are using multiple SMTP domains means nothing when it comes to SSL certificates. There is no link between the email domains and the SSL certificate.
Therefore just decide on a host name to use and enter that as the common name in the SSL certificate - then tell the end user what host name to enter for ActiveSync. The same host name can be used for all services on the server - OWA, RPC over HTTPS and ActiveSync - irrespective of their email address.

GoDaddy or one of their resellers will be fine for the SSL certificate, they have instructions on their web site on how to do the request, response and installation of their required intermediate certificates.

Simon.
MaheshArchitectCommented:
Hi simon, thanks for pointing that.
I missed out this part of Exchange 2003
But I do have query if you can help out to clear please

what if they want to use multiple owa urls as against multiple smtp domains, wouldn't they face certificate errors in that case ?
Thanks

Mahesh
agriboy1980Author Commented:
Hi All,

There are two domains pointing were registered (domain.com and domain.cz) and they have been configured using total DNS control to point their MX record to this server's fix IP address like this:  

domain.cz.      MX      38400      10 mail.domain.com.
where the "mail.domain.com" is my server's FQDN. I have created a policy on the Exchange 2003 to handle those e-mails which are coming for the "domain.cz"  and that is all I have until now.
Now I have checked in the IIS that  my server's certificate has been expired at the 8th of november. Is there a way maybe to renew that somehow (i am not sure that is a proper SSL cert. or not)

Thanks
Simon Butler (Sembee)ConsultantCommented:
If you don't know about the current SSL certificate, I wouldn't do a renewal. Just create a new certificate request for the host name that you are currently using (mail.domain.com).
Don't worry about having users on a different domain name - they can use the same host name.

Simon.
agriboy1980Author Commented:
ok, so i did the process described in this article:
http://www.msexchange.org/articles-tutorials/exchange-server-2003/security-message-hygiene/SSL_Enabling_OWA_2003.html

My only problem is that after I have switched on that SSL should be used for OWA, mobile access etc... (very last step in the article) I have tried to check it on my iPhone (switched on the SSL) and I have received a message telling me that "the mail is unreachable"

What could be the problem?
agriboy1980Author Commented:
Can anyone help me pls?
Seth SimmonsSr. Systems AdministratorCommented:
have you tried accessing owa through a web browser?  if you followed that article and installed a self-signed certificate then certain access points such as some browsers and possibly some phones won't work with it
agriboy1980Author Commented:
There are now some other problems because I have turned on SSL on the OMA and on my iPhone and sometimes I receive an error message that the server is unreachable and after I push OK a few time on those errors, I receive the next message that the server is not identified and have three options: Ignore, accept or continue.
I receive this message everyday once.

Maybe I have turned on the wrong SSL at the wrong virtual directory?
MASEE Solution Guide - Technical Dept HeadCommented:
You will to make sure the correct certificate enabled for your mobile clients to work.

Open OWA and see which certificate enabled by checking the thumbprint of certificate
Iain MacMillanIT Regional Manager - UKCommented:
on your mobiles, you may need to check/edit your account settings, to make sure you have the domain name correct for accessing the exchange server externally, typically this is the same as your OWA address. With SSL turned on too.

Also use the Test Service to verify any issues with your Exchange server:

https://testconnectivity.microsoft.com/

I use GS for my certs, and they have a great walk through for most scenarios, with screenshots:

https://support.globalsign.com/customer/portal/articles/1227295 --- Add SSL cert to Exchange 2003

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.