Solved

Requirements for Exchange 2010 certificate?

Posted on 2014-10-20
4
1,199 Views
Last Modified: 2014-10-24
We want to change the current certificate (internal CA) of our Exchange 2010 server with a public wildcard certificate.

The new certificate will be bought by the developer of the website. Are there any special requirements we should communicate if we want to use that SSL-certificate for Exchange in addition to the website?

What files do we need to import the SSL wildcard certificate (bought for the website) in Exchange?
0
Comment
Question by:exexc
4 Comments
 
LVL 25

Expert Comment

by:-MAS
ID: 40391646
Your exchange need 2 names if you have only one domain.
1. mail.domain.com
2.autodiscover.domain.com
Please check these for details.
1. Technet
2. EE
0
 

Author Comment

by:exexc
ID: 40391684
The web developer will get a wildcard certificate for the domain. So all subdomains should be covered.

What I don't know is, if we have to tell him that certain requirements exist for Exchange 2010.

For example is it recommended to get a 2048bit/SHA256 certificate or is SHA256 a Problem for Exchange 2010? Is there a more secure type of certificate than 2048bit/SHA256?

What kind of files does he have to send us? I guess we will need a file with the private key, a file with the public key, maybe a file for an Intermediate CA? Are these files required in a specific file format?

I never worked with public certificates in Windows, so I don't know what requirements I have to communicate to the web developer.
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40391720
You can go for a wildcard certificate which is more secured than having a cert with different SANS. It means that a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain.

The below site would give you more info;

https://www.digicert.com/wildcard-ssl-certificates.htm
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 40392074
1. The bit-length of the key determines the security of the hashing used to generate your certificate request. Higher is better, but will also increase the resources used by IIS when encryption data. 2048/SHA256 is sufficient for now and will be for the next few years. 1024 or lower is considered to be crackable and not recommended.

2. You will need to generate a Certificate Request file on the Exchange server for the Wildcard cert, then forward that to the web developer. The Developer will request the certificate from the Third Party CA. The CA will provide him with a file that is a "response" the the request. When you complete the Certificate request on the Exchange server, you will use this file as the response, and the server will then generate the certificate and configure it for use by the server. Once that's done, the certificate can be exported for use on other systems if you choose, but you must select the option to make the certificate exportable when creating the certificate request. If you don't do that on the server you create the certificate on, the cert will only be usable on that server.

That's basically the whole process. And to correct another user's statement, Wildcard certificates are considered *less* secure than a multiple SAN cert because the certificate will authenticate any name used against it as long as the domain name is correct. However, the difference in security is negligible and not usually a big deal.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question