ratishnair -> RE: certificate for ssl (owa use) (8.May2009 3:06:27 AM)
To generate a Certificate Signing Request (CSR) on an Exchange 2007 server:
1. Open the Exchange MMC. Start, All Programs, Microsoft Exchange Server 2007, Exchange Management Concole.
2. Scroll down the opening screen until you see: Configure SSL for your Client Access Server. Click on this link. This will open a help window describing the steps to go through for this process.
3. If you don’t see it, scroll down the window until you see the text: 1. Open the Exchange Management Shell. Click on this link which will open the command line (Powershell) based window.
4. At this command line enter the following command making modifications to variables as needed (underlined items):
a. New-ExchangeCertificate -GenerateRequest -domainname webmaileu.company.org,autodiscovereu.company.org,vuk43xch01.ctsorg.company.org -FriendlyName webmaileu.company.org -subjectname "O= Corporation, OU=Company, C=US, S=State, L=City, CN=webmaileu.company.org" -privatekeyexportable:$true -path c:\webmaileu-csr.txt
5. If the command runs successfully, a CSR file will be created in the path described in the command.
6. This CSR file will be used by the Certificate Authority (CA) to generate a trusted certificate and private key for this server.
7. Once the certificate information is returned it will need to be imported on the client access server. This is done by the following steps:
a. The certificate text file should be saved on a location where the client access server can access the file.
b. If the Exchange Management Shell is not open, it will need to be opened.
c. Run the following command, making changes as needed to the underlined variables:
i. “Import-ExchangeCertificate –path c:\webmaileu.cer”
8. We now need to locate this certificate & its thumbprint to install into IIS and update the self-signed certificate. This is done by the following steps:
a. While at the command prompt in the Exchange Management Shell, type “dir cert:\LocalMachine\My | fl” and press enter.
b. Locate the certificate with the right Subject name and FriendlyName for this server.
c. Copy the Thumbprint to the clipboard.
d. At the command prompt type “enable-ExchangeCertificate –thumbprint <value copied to clipboard> -services “IIS, IMAP, POP””. Press enter.
9. The IIS virtual directories now need to be configured to use SSL. This is done by the following steps:
a. Under Default Web site, select the virtual directory that you want, for example, "owa".
b. Right-click the virtual directory, and then click "Properties".
c. Click the "Directory Security" tab.
d. In the "Secure Communications" section, click "Edit".
e. In the "Secure Communications" dialog box, make sure that both the "Require secure channel (SSL)" check box and the "Require 128-bit encryption" check box are selected.
f. Click "OK" to save your changes.
g. Restart IIS to ensure settings are saved.
Basically the same certificate gets installed on both the CAS and ISA servers.
Once the same is done, your users will have to use HTTPS for sure and if they use HTTP, they will get a page which says "This connection should be viewed over a secure channel"
You can also redirect http requests to HTTPS following : http://technet.microsoft.com/en-us/library/aa998359.aspx
Hope that answers your question :-)