Solved

Implement SSL certificate into exchange 2003

Posted on 2014-01-01
18
440 Views
Last Modified: 2014-04-22
Happy New Year for Everyone,

I would like to ask some details about how to install an SSL certificate in an Exchange 2003 environment? Please start the explanation from the very beginning because I haven't bought the cert. yet.
My server handles two domain names so I don't really know how should I implement the cert.
P.s.: In what way would be this SSL cert. effect on my mobile users?

Thanks for the answer in advance.
Cheers
0
Comment
Question by:agriboy1980
  • 6
  • 3
  • 2
  • +6
18 Comments
 
LVL 19

Expert Comment

by:R--R
Comment Utility
You have to create a CSR.
Submit the CSR to CA.
Get the certificate.
Install the certificate.

How to generate CSR by following https://www.geocerts.com and then install it following https://support.globalsign.com

https://www.geocerts.com/csr/iis_6
https://support.globalsign.com/customer/portal/articles/1227295
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You need to generate custom certificate request if you are using multiple smtp domains in exchange by using below article

http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx

Then you need to import that cert in IIS as shown in below article
http://www.youtube.com/watch?v=HMVaYehBwC8

Mahesh
0
 

Author Comment

by:agriboy1980
Comment Utility
Thanks for the quick reply.
I have a few questions:
1., I have to create this SSL because one of my mobile user (Nokia Windows phone) has an issue of setting up the e-mail account on that device. Is this the thing what is going to help on that?

2., Can I use Godaddy.com to generate the SSL for based on CSR?

3., My server has been configured for hosting the "domain.com" domain. Later on I configured it to host another one called "domain.cz" .  Do I need only one SSL or two in this case? And the method you mentioned above is totally suitable for my situation?
Thanks
0
 

Author Comment

by:agriboy1980
Comment Utility
Thanks mate, I will try it and post results here :)
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
It depends how many smtp domains you are using
Even if you are using multiple smtp domains, you can have single Subject Alternative certificate (SAN) which will contains all DNS host names
Mobile users, while connecting to exchange server, the server host name they are connecting to must be in certificate to work properly (This will be external hostname of Exchanges server)

You can use any 3rd party public CA to generate CSR including Go Daddy

Mahesh
0
 
LVL 1

Expert Comment

by:sameert
Comment Utility
0
 
LVL 12

Expert Comment

by:Md. Mojahid
Comment Utility
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
On Exchange 2003, the fact that you are using multiple SMTP domains means nothing when it comes to SSL certificates. There is no link between the email domains and the SSL certificate.
Therefore just decide on a host name to use and enter that as the common name in the SSL certificate - then tell the end user what host name to enter for ActiveSync. The same host name can be used for all services on the server - OWA, RPC over HTTPS and ActiveSync - irrespective of their email address.

GoDaddy or one of their resellers will be fine for the SSL certificate, they have instructions on their web site on how to do the request, response and installation of their required intermediate certificates.

Simon.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Hi simon, thanks for pointing that.
I missed out this part of Exchange 2003
But I do have query if you can help out to clear please

what if they want to use multiple owa urls as against multiple smtp domains, wouldn't they face certificate errors in that case ?
Thanks

Mahesh
0
 

Author Comment

by:agriboy1980
Comment Utility
Hi All,

There are two domains pointing were registered (domain.com and domain.cz) and they have been configured using total DNS control to point their MX record to this server's fix IP address like this:  

domain.cz.      MX      38400      10 mail.domain.com.
where the "mail.domain.com" is my server's FQDN. I have created a policy on the Exchange 2003 to handle those e-mails which are coming for the "domain.cz"  and that is all I have until now.
Now I have checked in the IIS that  my server's certificate has been expired at the 8th of november. Is there a way maybe to renew that somehow (i am not sure that is a proper SSL cert. or not)

Thanks
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
If you don't know about the current SSL certificate, I wouldn't do a renewal. Just create a new certificate request for the host name that you are currently using (mail.domain.com).
Don't worry about having users on a different domain name - they can use the same host name.

Simon.
0
 

Author Comment

by:agriboy1980
Comment Utility
ok, so i did the process described in this article:
http://www.msexchange.org/articles-tutorials/exchange-server-2003/security-message-hygiene/SSL_Enabling_OWA_2003.html

My only problem is that after I have switched on that SSL should be used for OWA, mobile access etc... (very last step in the article) I have tried to check it on my iPhone (switched on the SSL) and I have received a message telling me that "the mail is unreachable"

What could be the problem?
0
 

Author Comment

by:agriboy1980
Comment Utility
Can anyone help me pls?
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
have you tried accessing owa through a web browser?  if you followed that article and installed a self-signed certificate then certain access points such as some browsers and possibly some phones won't work with it
0
 

Author Comment

by:agriboy1980
Comment Utility
There are now some other problems because I have turned on SSL on the OMA and on my iPhone and sometimes I receive an error message that the server is unreachable and after I push OK a few time on those errors, I receive the next message that the server is not identified and have three options: Ignore, accept or continue.
I receive this message everyday once.

Maybe I have turned on the wrong SSL at the wrong virtual directory?
0
 
LVL 24

Expert Comment

by:-MAS
Comment Utility
You will to make sure the correct certificate enabled for your mobile clients to work.

Open OWA and see which certificate enabled by checking the thumbprint of certificate
0
 
LVL 20

Accepted Solution

by:
Iain MacMillan earned 500 total points
Comment Utility
on your mobiles, you may need to check/edit your account settings, to make sure you have the domain name correct for accessing the exchange server externally, typically this is the same as your OWA address. With SSL turned on too.

Also use the Test Service to verify any issues with your Exchange server:

https://testconnectivity.microsoft.com/

I use GS for my certs, and they have a great walk through for most scenarios, with screenshots:

https://support.globalsign.com/customer/portal/articles/1227295 --- Add SSL cert to Exchange 2003
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now