Friday , October 20 2017

How to Use a Self Signed Certificate in Exchange 2010

Article Updated : Using a internal windows CA certificate with Exchange 2010

 

Using a Self Sign Certificate can Manage Owa alone, But Issuing a Internal Windows CA Certificate can serve all type of Clients

So will learn how to do it.

We can use a internal windows CA certificate with Exchange 2010 to avoid Cert Errors

Something which you need to know is , Using a Internal Windows CA Certificate you need to install the certificates on every machine you use and Mobile devices other wise you will end up in a certificate error in the IE

So that’s why people prefer going for a 3rd party certificate to overcome it.

In this article We Will Learn issuing a Internal Windows CA Certificate , for this to be used Externally you need to have a CNAME record in your public DNS pointing to your Public IP NAT to your CAS

First we will learn how to Export a Certificate request file from Exchange 2010 ,

Step 1:

image

 

Type a Friendly Name :

 

image

 

 

Wild Card is used if you are going to manage more URLs .For Example : *.Domain.com

image

Step 2:

Assign the required Services for your Exchange , Give a Tick Mark

image

 

You will opt for it if you are planning for Coexistence in OWA in Exchange 2003 and Exchange 2010

image

Step 3:

You will see the collection for URL’s

image

Step 4:

Fill out the Form – And set the location for the Cert Request file

image

 

image

Step 5:

Your request file would look like this

 

image

Open it via Notepad , because we need this content to generate a Certificate

image

Step 6:

You need to have this role installed to have a  Certificate Authority , It can be DC or Exchange it self

I have done this in the Exchange itself (No Harm)

image

 

Step 7:

Choose : Certification authority , Certification Authority Web Enrollment

image

Step 8:

Choose Enterprise

image

Step 9:

Choose Root CA

image

 

 

Step 10:

Create a new Private key

image

 

Step 11:

Have this Default with 2048 key Character length

image

Step 12:

Click Next

image

 

Step 13:

By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next

image

 

Step 14:

 

image

Step 15:

Now if you Open IIS manager , you will see “CertSrv”  a Virtual Directory Created ,

Use the right side column “Browse *.443(https)

image

 

Step 16:

You would see a page like this , Choose Request a Certificate

image

Step 17:

Click on Advanced Certificate Request

image

 

Step 18:

Choose the Second one

Submit a certificate request by using a base-64-Encoded CMC

image

Step 19:

Now Copy the  Note pad  –

Choose Template : WebServer

NOTE _ BELOW SCREEN SHOT _ CHOOSE TEMPLATE _ WEB SERVER

image

Step 20:

 

Choose “Base 64 encoded”

image

Step 21:

Save the Certificate

image image

Step 22:

Now go to your EMC

Server Configuration – Complete Pending request

image

 

Choose the Certificate :

 

image

 

Step 23:

Now Assign Services to the Certificate

image

 

 

image

Now the Server Part is ready

 

Step 24:

 

Now will learn how to install the Certificate in the Client End

 

Double Click on the Certificate

Click Install Certificate – Click Next –

 

image

 

Choose Personal –

 

image

 

Click Next And Import will be Successful

Now Do the Same Process

Double Click on the Certificate

Click Install Certificate – Click Next – Choose Trusted Root Certification Authorities

image

Double Click on the Certificate

Click Install Certificate – Click Next – Choose Intermediate Certification Authorities

image

 

Step 25:

 

Before

image

 

After installing the Certificate in the Client

image

 

 

 

Great !!

Now you learnt how to Use a internal windows CA certificate with Exchange 2010

 

 

Regards

Satheshwaran Manoharan

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in Supporting/Deploying/Designing Microsoft Exchange for some years. Extensive experience on Microsoft Technologies.

Check Also

Automate Run Summarization via PowerShell in SCCM

Without Delegating System Center Configuration Manager Deployment Rights. We can Update the Summarization Automatically via ...

67 comments

  1. Good blog! I really love how it is simple on my eyes and the data are well written. I’m wondering how I could be notified when a new post has been made. I’ve subscribed to your RSS feed which must do the trick! Have a great day!

  2. I’ve recently started a web site, the info you provide on this website has helped me greatly. Thank you for all of your time & work.

  3. Hello.This article was extremely motivating, especially since I was investigating for thoughts on this issue last Tuesday.

  4. I like this web site very much, Its a really nice situation to read and incur information.

  5. I like what you guys are up too. Such smart work and reporting! Keep up the excellent works guys I?¦ve incorporated you guys to my blogroll. I think it will improve the value of my site 🙂

  6. I simply want to say I am just very new to blogging and honestly loved you’re web page. Very likely I’m going to bookmark your site . You amazingly have exceptional stories. Thanks for sharing your blog.

  7. Wow that was unusual. I just wrote an really long comment but after I clicked submit my comment didn’t show up. Grrrr… well I’m not writing all that over again. Anyways, just wanted to say excellent blog!

  8. You actually make it seem so easy together with your presentation but I find this topic to be really something that I feel I’d by no means understand. It seems too complicated and very huge for me. I am looking forward in your next put up, I’ll attempt to get the hold of it!

  9. Good write-up, I’m regular visitor of one’s site, maintain up the nice operate, and It’s going to be a regular visitor for a long time.

  10. Hi ,

    It is a very good guide and I appreciate it. I followed your guide but still I receive certificate error on my client side. the only difference is my CA is on my primary DC. Can you help me!

  11. Hi,
    It certainly is very comprehensive but unfortunately like Dinesh I also still get a certificate error. The error report is that “This certificate cannot be verified up to a trusted certification authority”. When I check using MMC certificate plug-in the certificate is definitely imported into both the trusted root authority, intermediate authority and personal stores – I have tried doing the import both at user and local computer level for these options. Any suggestions will be gratefully accepted – we really cannot afford to go and buy a UCC certificate for this installation?
    Thanks,
    Graham

    • Can you check the Cert ?
      Issued to : “Webmail.Domain.com”
      and the URL you browse “Webmail.domain.com/owa”

      The above “Issued to”and the URL
      webmail.domain.com
      should be the same.

      If it differs you will get the error

      • The certificate shows as issued to ‘mail..com’ , issued by –CA. The URL I am accessing is https://mail..com/owa i.e. the certificate ‘issued to’ domain and the URL are definitely the same.
        Also if I try to connect using Outlook Anywhere (which is our real need) I get a message saying ‘the security certificate is not from a trusted certifying authority’, which is pretty much the same error.
        Looking in the client certificate stores via MMC the certificate shows as Issued to mail..com, Issued By –CA, valid to 5 Nov 2014, Intended purposes ‘server authentication’, no friendly name and template ‘WebServer’. It is in the personal store, the trusted root CAs, the Intermediate CAs and I also, in desperation, added it to third-party Root CAs. Still doesn’t work
        Where can I look next to get this going? I am happy to upload or mail the certificate for you to have a look at if you want me to, just don’t want to publish on the net for obvious reasons :).
        Thanks,
        Graham

      • The previous got a bit mangled : to be clear the certificate shows as issued to mail.{domain}.com by an authority {org}-{server}-CA . The URL being accessed is https://mail.{domain}.com/owa .

      • Thought I should also add that the clients on which I am installing the certificates are NOT members of the domain to which the server issuing them belongs. Is this perhaps of relevance?

        • Hi Graham

          For Outlook Anywhere Self Sign Cert Won’t work. Its by design !!

          • 1. My certificate still doesn’t work for OWA regardless of whether or not it should work for OA.
            2. It isn’t a ‘self-signed’ certificate it is a certificate produced by an internal CA. The two are different things. The self-signed certificate is what we replace with the generated one in step 23 – you can see in your own image that the original ‘Microsoft Exchange’ cert is marked in column ‘Self-signed’ as ‘true’ and this locally generated ‘Exchange Cert’ one is ‘false’.
            3. If it REALLY won’t work for OA (and I still believe it should) then a) what is the point of doing all this as all you gain is the ability to not have to ignore the certificate error to use OWA and b) you really need to make the article much more clear as to what this process is useful for.

          • Re: Outlook Anywhere and internal CA certificates:
            “With regards to SSL certificate support and Outlook Anywhere, the certificate type that is not supported is the certificate that Exchange generates itself using new-exchangecertificate. A CA issued certificate (whether your own or a commercial) is supported.”

            from

            http://social.technet.microsoft.com/Forums/en-US/exchangesvrgenerallegacy/thread/4bd74114-d146-44ad-8594-c6b581fef1a1

          • In addition I have now exported the {org}-{server}-CA from the Trusted Root CA of the server and imported that to the Trusted Root CA of the (non-domain) client. Now OWA works as you describe, as there is a path to a trusted authority. For domain clients they may probably automatically trust the server as it is in the same domain.

            The failure on OA has also changed – I am now now seeing an ‘untrusted certificate error’, just an issue with authentication. I will track that down and post the results.

            Conclusions so far:
            Both OA and OWA should work with a INTERNALLY GENERATED certificate. OWA works with self-signed, OA doesn’t.
            The title of this article is wrong – it’s not about using a self-signed certificate but an internal CA one – and it’s a very comprehensive guide to that.

          • Final Update: all working now. The authentication issue appears to have been down to switching to Kernel mode authentication for the various exchange processes at some point.

            So to summarise – this detailed guide works for both OWA and OA by using an internal CA certificate, with the proviso that for non-domain member PCs you need to import the issuing server’s CA certificate to the Trusted Root CA store, in addition to the Exchange certificate generated as described here.

            Thanks Satheshwaran for creating this guide initially and for our exchange (pardon the pun!) regarding the differences between self-signed and internal CA generated certificates. I hope the clarification will be of value to all readers of this blog.

            Regards,
            Graham

  12. Hi Graham,
    Have Emailed you on this !

    Issued by Windows CA will work with Outlook anywhere
    But not a Self Sign Cert

    Thank you !

  13. Hi there, I found your web site via Google at the same time as searching for a related subject, your site came up, it looks great. I’ve bookmarked it in my google bookmarks.

  14. You are very helpfull. Keep doing the good work. It inspires the junior admis like me.

  15. Asking questions are in fact good thing if you are not understanding something completely, except this article provides good understanding even.

  16. Jaison Joseph Samuel

    Hi Satheshwaran,

    Thank you for sharing the knowledge. I was looking for such informative articles. I am trying all sorts of tests to master the Exchange Server domain in my lab environment.
    Once again Thankx bro!

  17. On step:3 You have domain mail.careexchange.in but the OWA url doesn’t point to the same address. Rather then it’s the FQDN of your exchange server, which is not correct.

    You should be able to login to OWA using https://mail.careexchange.in/owa

  18. On step:3 You have domain mail.careexchange.in but the OWA url doesn’t point to the same address. Rather then it’s the FQDN of your exchange server, which is not correct.

    Aren’t you able to login to https://mail.careexchange.in/owa or you just mentioning the server fqdn?
    You should be able to login to OWA using https://mail.careexchange.in/owa

  19. This unique material you presents in this article is a top-notch and great matter. Captivating strategy and also structure in composition. Keep writing this kind of useful details.

  20. My cert is working on Server but l got an error on client PC….. i have also install to Personal,Trusted Root Certification Authorities,Intermediate Certification Authorities…………………..but still got an error with internet explorer 9. kindly guide me.

  21. Same the Issue facing like Graham…………………email me

  22. I have done these steps several times, yet now my exchange does not work anymore. Clients can’t connect with web or outlook. So maybe article is helpful but in my case it set me back to the dark ages.

    • if you have had a Self Signed Cert already. After doing these steps. You have place the new cert in all your devicies.

      That’s the only situation where connected devices goes disconnected. and That’s the disadvantage of a self signed Cert

  23. Thanks for quick reply.
    But certificate does not even show on Exchange or in certificates. I confirmed that I do not have that thumbprint anywhere
    So how can I revert back..make a normal self signed certificate and leave things as they were

  24. This is simply superb. . . I love this site 🙂

  25. Thanks on your marvelous posting! I actually enjoyed reading it, you might be a
    great author. I will always bookmark your blog and will come back in the foreseeable
    future. I want to encourage you continue your great writing, have a nice holiday weekend!

  26. Thanks a lot !!!

  27. Hi Satheesh,

    First of all great blog! Congrats for that.

    I’ve a query. My self signed Cert for Ex2k10 got expired & I’ve renewed it using the cmdlet
    Get-ExchangeCertificate -thumbprint “9XXXXXX” | New-ExchangeCertificate
    & removed the expired Certficate.

    However I dint’ do it through Internal CA which we already have in place.
    Now, I had to install the cert manually on all clients. I tried to renew the Cert again from EMC> Server config , but since the cert is already renewed and valid am unable to make a cert request out of that.
    Is there any way so that I can renew a valid certificate or do I have to create a new certificate request in order to create a different certificate through internal CA? please advise.

    Thanks and Regards,
    Nitbinz

    • Import the Certificate Directly and Assign the Services to the Imported Certificate

      • I did it and the certificate is already in place. However, since I couldn’t make it with an Internal CA, unable to put the same in Trusted Root Certificates via Group policy in Client Computers.
        Now I’m installing it manually in client PC’s when I get cert error.

        Is there anyway so that I can put the cert in Client PC’s Trusted Root certificates via GPO.

        Regards,
        Nitbinz

  28. Excellent Bro..! Pretty much awesome site.. 🙂

  29. Muhammed shahinsha

    really good

  30. Hi Satheshwaran,

    I hope I had seen this earlier. What a clear step-by-step
    migration guide from Exchange 2003 to 2010.

    I have a question related to generating the CSR code for a new Exchange Certificate.
    Let’s say in a migration process (one Exchange2003 and one Exchange2010 scenario) your “Domain name you use to access Outlook Web App internally” in the Client Access server configuration section is servername.child.domain.com while your OWA on the internet is mail.domain.com.

    1-What should I put for “Hub Transport server” (Use mutual TLS to help secure Internet mail) FQDN of your connector? I put “mail.domain.com”

    I am asking this because by default if I were to ckeck “Use Hub Transport server for POP/IMAP client submission, the FQDN of the connector turns out to be auto filled as “child.domain.com,domain.com”. Is it how it is also supposed to be for the “Hub Transport server” (Use mutual TLS to help secure Internet mail) FQDN of your connector?

    2-Even though I used the following while generating the code (with DigiCert):
    a- Outlook Web App as “mail.domain.com”
    b-ActiveSyn as “mail.domain.com”
    c-Autodiscover as “autodiscover.domain.com”
    d-legacy as “legacy.motovan.com”

    and the names on the certificate are:
    http://www.domain.com
    mail.domain.com
    autodiscover.domain.com
    domain.com

    Note: The server FQDN (servername.child.domain.com) and child.domain.com were not included on the cert.

    the “security alert” windows still managed to pop for some internal users. I am pretty confused why is some people only receiving it and not everyone. However, when I tried to load my own outlook profile to a new VM, then I receive the same “security alert” warning which I never received after the certificate was installed from my original PC, puting a red cross at ” The name on the security certificate is invalid or does not match the name of the site” referring to servername.child.domain.com.

    DigiCert wants me to add the FQDN of the server to resolve the issue, is there any other alternative since I left the FQDN of the server out intentionally.

    3- Should “child.domain.com” also be included on the certificate.

    4-Am I missing DNS entries or extra configurations must be done in IIS?

    I am just pretty confused about this. Can you please clarify this for me?

    Thanks in advance for this great site.

  31. Very well documented step by step instructions and hugely useful, Thank You.

  32. Wonderful…. everything described very well….. very appreciable.. Thanks

  33. Awesome issues here. I’m very happy to look your article. Thank you so much and I am having a look forward to contact you.

    Will you please drop me a e-mail?

  34. Hi Satheshwaran

    How can I configure back the self-signed certificate on my exchange server 2010 if something goes wrong with windows internal CA certificate configuration you described.

    thanks in advance

  35. Another advantage is the safety feature. Quite a few solo mess
    devices may, even so, be taken meant for combining.

    If you are seeking for the best ways to find biodegradable plastic extruders to get custom products for
    your company, contact Hall manufacturing.

  36. I do not even know how I ended up right here, however I thought this post was once good.
    I don’t recognize who you are but definitely you are going to a famous blogger if you happen to aren’t already.

    Cheers!

  37. This piece of writing provides clear idea for the new
    people of blogging, that really how to do blogging and site-building.

Leave a Reply

Your email address will not be published.