Sunday , November 19 2017

How to use a internal Windows CA (Certificate Authority) in Windows 2012 with Exchange 2013

Using a internal windows CA certificate with Exchange 2010

Using a Self Sign Certificate can Manage Owa alone, But Issuing a Internal Windows CA Certificate can serve all type of Clients
So will learn how to do it on Windows Server 2012.

We can use a internal windows CA certificate with Exchange 2013 to avoid Cert Errors
Something which you need to know is , Using a Internal Windows CA Certificate you need to install the certificates on every machine you use and Mobile devices other wise you will end up in a certificate error.
So that’s why people prefer going for a 3rd party certificate to overcome it.
In this article We Will Learn issuing a Internal Windows CA Certificate ,

You need to have two A records , Mail.domain.com and Autodisover.domain.com

and you will place the cert which we generate into the machines your configuring outlook. or any device, So that you can over come outlook errors

First we will learn how to Export a Certificate request file from Exchange 2013,

Step 1:

Login to Exchange Administration Center (EAC) in Exchange 2013

Servers – Certificates – Click on the “+” Sign – New

image

Choose

“Create a request for a Certificate from the Certification authority”

Next

image

Type a Friendly Name :

image

Wild Card is used if you are going to manage more URLs .For Example : *.Domain.com

image

Choose the Server to have the Cert Request

image

Step 2:

Enter the Required URL’s for your Exchange ,

image

For Example Am entering only for Outlook Web App (When accessed from the internet)

image

Step 3:

You will see the collection for URL’s

image

 

Step 4:

Fill out the Form

image

Create a Simple Share to Save the Cert Request

image

 

Save the Cert Request to a Shared Location as below

image

Now you could see the Pending Cert Request

image

Step 5:
Your request file would look like this

image

 

ExchangeCert.req is the request file you created. Now right click on the file , Open with , Use notepad

Opening it via Notepad , It would give a set of Request content, You will use this content in the later part

image

Step 6:
You need to have this role installed to have a  Certificate Authority , It can be DC or Exchange it self
I have done this in the Exchange itself (No Harm)

Open Server Manager – Manage – Add Roles and Features

image

Step 7:

Choose : Active Directory Certificate Services

Choose Next

And Choose : Certification Authority Web Enrollment

image

Choose : Certification Authority Web Enrollment

image

Choose Install

image

Choose Close

image

 

Step 8:

To Configure Active Directory Certificate Services

Choose the Exclamation Mark on the Flag

image

Choose Next

image

Choose

Certificate Authority

&

Certification Authority Web Enrollment

image
Choose Enterprise

image

Step 9:
Choose Root CA

image

Step 10:
Create a new Private key

image

Step 11:
Have this Default with 2048 key Character length

image

Step 12:
Click Next

image

Step 13:
By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next

image

Step 14:

image

image

image

Step 15:
Now if you Open IIS manager , you will see “CertSrv”  a Virtual Directory Created ,

image
Use the right side column “Browse *.443(https)

Step 16:
You would see a page like this , Choose Request a Certificate

image

Step 17:
Click on Advanced Certificate Request

image

Step 18:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMC

image

Step 19:
Now Copied the content from the  Note pad  – (See Step5)
Choose Template : WebServer

image

Step 20:
Choose “Base 64 encoded”

image

Step 21:
Save the Certificate

image

Copied the File to a  Common Share

image

Step 22:

Now go to your EAC – Servers – Certificates- Choose the Pending Request – Choose Complete

image

 

image

Step 23:
Now Assign Services to the Certificate

Choose Cert and Click on Edit

image

image

Now the Server Part is ready

image
Step 24:

Now will learn how to install the Certificate in the Client End
Double Click on the Certificate

image

Click Install Certificate – Click Next –

image

Choose Local Machine

image

Choose Personal –

image
Click Next And Import will be Successful

image
Now Do the Same Process
Double Click on the Certificate

Click Install Certificate – Click Next – Choose Trusted Root Certification Authorities

image
Double Click on the Certificate

Click Install Certificate – Click Next – Choose Intermediate Certification Authorities

image

Step 25:
Before

image

After installing the Certificate in the Client

image

Great !!

Now you learnt how to Use a internal windows CA certificate in Windows Server 2012 with Exchange 2013

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in Supporting/Deploying/Designing Microsoft Exchange for some years. Extensive experience on Microsoft Technologies.

Check Also

Automate Run Summarization via PowerShell in SCCM

Without Delegating System Center Configuration Manager Deployment Rights. We can Update the Summarization Automatically via ...

72 comments

  1. Keep up the good work…

  2. Thanks for sharing the valuable knowledge

  3. Hi,

    I have a problem, that when I get to step 19 Choose Template : WebServer , I don’t have that option. I only have two options of, User or Basic EFS.

    Thanks in advance

    Brian

  4. Hi Satheshwaran.

    Great write up, i have followed your instruction but i am having problems with my internal outlook clients connecting to exchange i receive the following error message:

    Cannot open your default e-mail folders. You must connect to Microsoft Exchange with the current profile before you can synchronize your folders with your Outlook data file (.ost)

    i am able to connect and send email via OWA with out any issues. ive been working on resolving this issue for a week now and im not sure what else to try 🙁

    Any help would vert be much appriciated.

    Ajay Paul

  5. Thanks a lot mate this was a very well presented and clear guide which did the trick!

  6. Thanks for this post….also try to post Exchange 2013 Migration once it’s going to be live…

  7. Hi,
    Firstly, sorry for my stupid questions as below (I’ve not experienced it before):

    My lab has 4 PCs:
    + PC1: Domain controller (Active directory) (ad.local.com)
    + PC2, PC3: installed Exchange 2007, Exchange 2010
    + PC4: Exchange 2013
    Question 1:
    After created certificate successfully at step #5. Following step #22, we will request certificate into PC1 (https://ad/certsrv) or into PC4 (https://ex2013.local.com/certsrv) ?

    Question 2:
    Do i need install this ceritficate (at step 22) for PC2, PC3 ?

    Question 3:
    For non-domain Outlook client PC (Outlook 2007/2010), I cannot create Outlook profile for Exchange 2013 users,
    so do I also install the certificate applied in Exchange 2013 into non-domain PC following step #24 ?

    Question 4:
    My Exchange labs have used for internal network (intranet network), so for OWA-Autodiscover – Outlook anywhere…: could I configure InternalURl which is same as ExternalURl ? or I don’t need configure ExternalURl for all services in case I use them for intranet network ?

    Thanks,
    Hung.

    • My lab has 4 PCs:
      + PC1: Domain controller (Active directory) (ad.local.com)
      + PC2, PC3: installed Exchange 2007, Exchange 2010
      + PC4: Exchange 2013
      Question 1:
      After created certificate successfully at step #5. Following step #22, we will request certificate into PC1 (https://ad/certsrv) or into PC4 (https://ex2013.local.com/certsrv) ?

      you will get a Request file from PC4=Exch 2013 . Place it on DC-PC1 , And get the Final Cert

      Question 2:
      Do i need install this ceritficate (at step 22) for PC2, PC3 ?

      yes you need to use the same Cert on Exchange 2007,2010,2013,

      Make sure all URL’s are added

      Question 3:
      For non-domain Outlook client PC (Outlook 2007/2010), I cannot create Outlook profile for Exchange 2013 users,
      so do I also install the certificate applied in Exchange 2013 into non-domain PC following step #24 ?

      Yes

      Question 4:
      My Exchange labs have used for internal network (intranet network), so for OWA-Autodiscover – Outlook anywhere…: could I configure InternalURl which is same as ExternalURl ? or I don’t need configure ExternalURl for all services in case I use them for intranet network ?

      I don’t think you need to configure it , if you are using in intranet alone. Not mandatory

      • Hi,

        after installed the certificate into non-domain client (step#24), open IE and type:
        https:///owa

        The bar still displays “certificate error” ?
        This is the information about my certificate:
        + OWA (internet):

        I also use this exchange for intranet/internal network, so I need to request the certificates relating to “internal”, like
        OWA (when accessed from intranet)
        OAB (when accessd from the intranet)

        And one more problem I met:
        I cannot open the Outlook profile of Exchange 2013 into non-domain client but OWA is Ok
        this is the warning when I try to open that profile:
        “cannot open your default e-mail folder. Microsoft Exchange is not availble. Either are network problem or the Exchange server is down for maintenance”

        Could you give me some ideas to solve my problems, please ?

        Thanks.

        • Verify your Active Directory is healthy,

          And replication works fine

          • Hi ,

            I re-start Exchange 2013 system (also try to restart all service relating to Exchange and DC), but I still met “certificate error” into the Web client of non-domain PC ?

            Could you specify the tasks which I should do to check ?

            Thanks,

  8. Sorry for typing information which are not clearly.

    This is the full:
    ————————————-
    Hi,

    after installed the certificate into non-domain client (step#24), open IE (in non-domain PC and into Exchange PC) and type:
    https:///owa

    The bar still displays “certificate error” ?
    This is the information about my certificate:
    at step #2, only choose
    + OWA (internet) and edit “FQDN of exchange”

    I also use this exchange for intranet/internal network, so I need to request the certificates relating to “internal”, like
    OWA (when accessed from intranet)
    OAB (when accessed from the intranet)
    ……

    And one more problem I met:
    I cannot open the Outlook profile of Exchange 2013 into non-domain client but OWA is Ok
    this is the warning when I try to open that profile:
    “cannot open your default e-mail folder. Microsoft Exchange is not available. Either are network problem or the Exchange server is down for maintenance”

    Could you give me some ideas to solve my problems, please ?

    Thanks.

    ————————————-

  9. Bhai,
    Thanks a ton for putting it together so nicely.
    Sadly,
    Eversince i have added this certificate, I am getting blank screen on opening ECP/EAC/OWA.
    Moreover, i can’t even open Mgmt Shell.
    I’m screwed up.

    Shakti

  10. Thanks Manoharan,

    Nice step by step instructions…very helpful.

    I have managed to get through with exchange and Outlook configs.

    Before I finalise some help on the below.

    1. After changing the External and Internal URL in exchange do I need to create the Certificates again.
    2.How do I configure DNS for Outlook anywhere.
    3. Create public folders in Exchange 2013 and copy data from Exchange 2003 public folders.

    Regards,
    RR

    • Thank you for your comments Rakesh

      1.
      When you create a Cert Req from the Exchange Server. you should verify that all the URLs available in the Cert.

      Once you verify the Cert req to the Certificate Authority . Things are going to be fine.

      2.
      http://social.technet.microsoft.com/Forums/en-US/exchangesvrgenerallegacy/thread/27fa6587-8e2e-4362-8c25-ad1d21030dca/

      Following points are to be considered when you want to enable Outlook Anywhere
      A. Enable Outlook anywhere
      Enable-OutlookAnywhere -Server ‘Exch1’ -ExternalHostname ‘site.contoso.org’ -DefaultAuthenticationMethod ‘Basic’ -SSLOffloading $false
      B. Configure a valid SSL certificate for the external urls (including autodiscover url)
      C. Firewall and DNS changes:
      D. public DNS record for the external host name and autodiscover you are using for Outlook Anywhere
      A public IP address on the firewall that the public DNS record resolves to
      A NAT or publishing rule to allow SSL/HTTPS connections to reach the Client Access server

      3.
      you have a seperate migration method to migrate Public folders. I will post that soon.

  11. Hi I wonder why we must to install the certificate (*.cer) for 2 times ?

  12. 1. When I installed certificate (step 24: install “Trusted Root Certification Authorities “), met an error as the picture below:

    http://i.upanh.com/rikvru

    or “http://nw8.upanh.com/b3.s36.d2/9af341981a5dc6f83675f2303f1b8a81_55340418.certificate.jpg”

    I don’t know why ?

    2. one more problem for other servers : I intend to install new certificate for Exchange version, but met a problem “canot find a web template in cert page”
    http://i.upanh.com/rikvhi

    Please help me to solve it.

    Thanks,

  13. Hello again satheshwaran,

    ive followed this guide and it seems to be working, thanks. I’ve just got a few issues that need addressing, if you could help that would be greatly appreciated.

    1. After creating the new certificate as explained by your self, can I now delete the default certificates (Microsoft Exchange, Microsoft Exchange Server Auth Certificate and WMSVC)? for some reason Microsoft Exchange Certificate still has the following services activated: IMAP,POP,IISSMTP and
    Exchange Server Auth Certificate: SMTP

    2. My outlook 2007 clients running on XP SP3 are prompted for login details every time they log on to outlook.

    3. Outlook 2007 clients cannot share their calendars, error message : an error occurred when setting schedule permissions.

    Any help would be appreciated

    Thanks in advance
    Ajay Paul

  14. Dear Satheshwaran,

    thank you for the nice post.
    I have one question, can you tell us in more detail how to use it Externally?
    since you say in the beginning you need to have a CNAME record in your public DNS pointing to your Public IP NAT to your CAS.

    thank you for your help.

    Best Regards.

    • DNS A record setup for autodiscover.yourdomain.com , Points to your Public IP ,

      Now pinging autodiscover.yourdomain.com should resolve your Public Ip.

      Then your Public IP , NATS to your Exchange Server.

      Hope am clear now. will update the content . sorry for the confusion

  15. THANK A LOT ; I does help!

  16. Hi

    I tried this – when setting up Outlook 2013 – I get a Cert error because its looking to to the root of the domain i.e. myddomain.com ( I didn’t request a Root cert!)

    I see mydomain.com (along with Mail, owa & autodiscover) is also listed when I look at the cer

    Do I need to change some settings when making the request ?
    or can I change the imported cert properties ?

  17. Dear Satheshwaran,
    thanks a lot for this post, very helpful!
    Follow this steps everything’s go right, but in my case at step 22 there si a little difference:
    In your screenshot the file to import is “\\UNC\FOLDER\something.CER” in my case is “\\UNC\FOLDER\something.PFX” why?
    Why don’t ask me a .cer file like your post?
    Thanks
    Regards

  18. How to configure certificate based authentication in exchange 2013 , DC is win 2012 server.

  19. Dear Satheshwaran,
    Thanks a lot for this post, very helpful!
    How to use a internal Windows CA (Certificate Authority) in Windows 2012 with Exchange 2013 with 2 CAS.
    I do the same with CAS1 but I dont how to do with CAS2 with the same CA.

  20. Dear Satheshwaran,

    Does this solution also help in my case:

    A question about the way my windows server 2012 resolves the internal and external addresses. Right now I have an intern domain: yyy.example.local, external domain: yyy.example.com. I have an exchange certificate for my external domain yyy.example.com and that is working fine for the exchange users. When the users approach exchange internally they receive an error because the certificate name doesn’t match the internal address which is logical.
    My question is: How can I let my internal address redirect to my external address. So when users approach Exchange internal they will receive the right external address without any errors. I’ve tried the options below, but this does the opposite. It will link my external address to my internal.

    1. create new forward NON-AD Zone on DNS server for the external name of the mail server that is on your cert: remote.yyy.org

    2. go into the new zone, make a new A record, the name is blank and put IP as internal mail server.

    3. Go into Exchange Admin GUI and go to server section – virtual directories – change the website to the external name: remote.yyy.org/xxx

    4. you can not change autodiscover from GUI – open shell and put in: Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri remote.yyy.org/autodiscover/autodiscover.xml CONFIRM: Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri

    5. In server section of GUI, double click on server, go to outlook anywhere section, change both internal and external to what is on cert: remote.yyy.org

    6. I made sure the PC I was testing on had the DNS settings of the server I added the new zone to

    Can you please let me know?
    Greetings

  21. after completing, why the status of the new certificate is invalid?
    help me please

  22. Ok, so I managed to change the Autodiscover URL pointing it to the external URL, so Outlook will connect with the right certificate. If I delete and re-add the outlook profile, the certificate error won’t pop-up and everything works fine. My question now is: I am dealing wth 50+ users. Does this mean every single user has to delete his outlook account and re-add it? This is a big amount of work, not to mention the time Outlook needs to sync everything back again (over 50gb worth of data).

    Is there a way to do this faster and more effective?

    thnx

  23. Hi Great Article, got it setup but still have the following using Outlook 2007

    There is a problem with the proxy security certificate, the certificate is not from a trusted certifying authority.

    But it should be trusted from the AD forest

  24. Do I need to add my Exchange server hostname in my SSL certificate. For example if I enter https:\\exch01\ecp , will I get to the ecp even though it is not in my CSR SSL certificate? Any reason why I need to add my exchange server to the certificate request? What about just adding a hostname vs. the FQDN? Thanks.

    • Ideally Exchange server should work with two entries in the cert — Mail.domain.com autodiscover.domain.com
      changing the internal urls according to above.
      As its a internal CA. you can have all the URLs doesnt cost you anything. so that you wont get a cert error in few instances.. Anyways using a Internal CA is a pain .. At least you can see some error free spaces.lol

  25. I dont understand why you dont download and install the Root CA certificate into the users trusted root certificate authority instead of the one that you created. This will mean all future certs that you issue would automatically be trusted without having to install them

  26. My cert don’t run on OWA 2013 SSL, in details I see a warning in Key Use “Digital Signature, Key Encipherment (a0)”. Pheraps the problem is this?

  27. Mashhoud Idlou

    Hi, Thanks for your wonderfull article
    I have a question, can I use the same certificate to send encrypted email via Outlook 2013 to other recipients out in the world (I mean People that we do Business with and are not joined in our Domain)?
    If yes, could they decrypt the emails and it#s attachments?

    Best Regards

  28. Superb post..

  29. Hi,

    We have an internal CA for our internal servers like Exchange and Lync and it is showing it is going to expire under certificate in ECP. If we go to the CA server it shows it has three more years to expire under certificate details. Is there any default settings like, any certificates are valid only for two years and then we need to renew it?

    • While issuing you can set number of years. when you open the cert in exchange and says its going to expired. you have to reissue it.
      but you can check for reissue expiry settings in internal ca to get more extended expiry time. but some certificate types sets to 2 . regardless what you set in internal CA. This behavior can be fixed if you do more research on Internal CA. which I never did.

  30. this is great and helpful.
    i have a question : Windows CA blocked my Exchange, before Installing CA my exchange was working fine, after installation i was not able to access EAC(Exchange Admin Center). can you please assist me how i can resolve this issue? because i uninstalled the CA but still not working please assist.

    My AD is windows 2012 R2 and Exchange windows 2012 R2 which is memebr of my AD.

  31. sorry my name is Etienne not Erienne

  32. Thank you for this explanations. I have one question. I have an sbs2008 with exchange 2007. Can I move the CA without trouble to a 2012 DC with a different name and then create the certs for the new exchange? I need the old SBS for moving mailboxes and public folder.

  33. What I want to know is why they never built in the option to query an internal ca directly for certificates and renewals without having to do the whole file thing. Like you can setting up rds..

  34. My Exchange Server certificate when trying to complete it (changing from Pending) disappears from the exchange console and you cannot edit it.

    The above procedure does not work

  35. Great KB dear, Satheshwaran, i have a situation where customer have local domain name as domainname.local currently no CA (digicert) provider giving us names like .local or IP as SAN names, Kindly advise how i can handle this, currently users getting certificate error frequently. Can i build CA server and import certificate. and discard the external certificate which is from digicert.

    Regards,
    Jinu

  36. Hi Satheshwaran Manoharan,
    Thanks for sharing this with us, you just saved my day, Thanks a Million

  37. hi all,
    We have an internal CA server(Windows server 2012R2, Hash algorithm:SHA256) The certificate is work in IE but in Firefox and Google chrome is Not Secure. how can i resolve this problem?

  38. Hi All
    We have an internal CA server(Windows server 2012R2, Hash algorithm:SHA256) The certificate is work in IE but in Firefox and Google chrome is Not Secure. how can i resolve this problem?

  39. it really help i was stuck in creating certificate for very long time this article simply solve my problem thanks for writing such a helping article.

  40. Please let me know if you’re looking for a article author for your blog.
    You have some really great posts and I feel I would be a good asset.
    If you ever want to take some of the load off, I’d absolutely love to write some articles for your blog in exchange for a link back to
    mine. Please blast me an e-mail if interested. Thank you!

  41. Simply wish to say your article is as astounding. The clarity for your publish is
    simply excellent and that i could suppose you’re a professional
    on this subject. Fine together with your permission let
    me to snatch your feed to stay updated with impending post.

    Thank you a million and please carry on the gratifying work.

  42. T??s arrangement is incredibly simple fo? somebody ??o has s?ddenly ?een hit with a financial crunch ?nd ?oesn’t
    ?therwise need t? leave the?r house ?nd dispose off property.
    Evenn a? the method goes on and y?u show ? willingness to behave to forestall
    ?t tthe judge m?? e?en adjourn the situation to provide yo? with the opportunity t? sell ??ur property ?nd pay up you?
    mortgage arrears. U?ing a cash property buyer
    m?y ?? tthe solution y?u are l?oking for.

Leave a Reply

Your email address will not be published.