certificate for ssl (owa use) (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Secure Messaging


ancos -> certificate for ssl (owa use) (26.Feb.2009 4:49:39 AM)


i read all the articles i could find, but i still dont get it. I bought a ssl certificate(www-domainname-com.cer) and dont know exactly what to do next. For instance, how should i import it in my exchange??? What i did was opening the mmc, certificates(local computer), and import the certificate in personal/certificates.
But my owa(from insite the domain) still doesnt work. I changed @ my iis(default website) the home directory(a redirection to a url /owa) and added the internal url https://servername.domain.lan/owa and externelname https://servername.domain.com/owa. i added in my dns an a record for my owa that points to my internal mailserver address and the a record is named owa.
I do know that for the external, i need to add a isa rule(cause we are using isa 2006). But when i wanted to add a web acces rule in isa, isa told me that my certificate hasnt got a private key.  I really find this hard- even with the many tutorials- and am desperate. Offcourse i am doing things wrong but i dont know what and all the articles dont work. I hope my question isnt too confusing although certificates and ssl for owa is very hard to understand.

Think i am gonna get drunk cause am already playing 4 days with this now and it still doesnt work.

pjhutch -> RE: certificate for ssl (owa use) (26.Feb.2009 12:07:28 PM)

There are different ways of generating a SSL certificate:
a) User Certreq.exe
b) Use IIS, Directory Security, Server Certificate wizard
c) Use New-ExchangeCertificate method.

You send a request file to your CA provider. They will provide a file (a .pem file in my case) which you need to combine with the pending cert request which will create a certificate with the public/private key combination (usually in .pfx format).

On the SAME server you generated the request file on, you then import your cert file:
Import-ExchangeCertificate -path mycert.cer

Found out the thumbprint code by type Dir cert:\Local Machine\My | fl and copy it to clipboard.
Enable the certificate using:
Enable-ExchangeCertificate <thumbprint> -Services "IIS,IMAP,POP"

Full instructions are in the Exchange Management Console, Microsoft Exchange,
Finalize Deployment screen, and click on 'Configure SSL for your Client Access Server'.

mdecourcy -> RE: certificate for ssl (owa use) (26.Feb.2009 12:14:13 PM)

I don't know how you generated the certificate request but since you've already imported it to your Certificate Store do this:

Open the the Exchange Management Shell and use the following command:


Copy the thumbprint of the certificate you want to use and use the following command:
Enable-ExchangeCertificate -Thumbprint <string> -Services "SMTP"
(sub the copied thumbprint for <string>)

Open the IIS manager and drill down on the site your Exchange Vritual folders are in.

Right click the site and select properties.

Go to the Directory Security Tab and Sever Certificate.

Follow the Wizard to use an existing Certificate and apply the cert you bought.

ancos -> RE: certificate for ssl (owa use) (26.Feb.2009 12:14:44 PM)

Will give it another try tomorrow; thanks for the reply.

ancos -> RE: certificate for ssl (owa use) (26.Feb.2009 1:55:06 PM)

Did what mdecourcy advised me to do; that seemed to go allright. Did an export from iis(default website); copy to file; could only choose between der-encoded, base64 and crypthograpic message. the personal information exchanges options where greyed out. I choosed for der-encoded(in my second attempt i choosed  crypthographic). Imported that at my isa iis. Started adding the listener; but still the certificate is invalid. Incorrectly installed/private key not installed.
So i am still doing something wrong. then problem is, i today is the third day i am trying to get it work; i cant recall what i tried and didnt try.

ancos -> RE: certificate for ssl (owa use) (26.Feb.2009 2:02:26 PM)

just noticed, that my web acces isnt working anymore. receive an internet explorer cannot display this page error .pffff situations like this arent explained in books [:)]
although this might be caused because we are using a different webmailaddres for my owa for internal and external. external it is : owa.mycompany.com and internal its owa.mycompany.net; maybe something went wrong with the iis homedirectory option and with the exchange internal and external url. 

pjhutch -> RE: certificate for ssl (owa use) (26.Feb.2009 5:58:55 PM)

The certificate you get from the CA is only half of the certificate, it has to be combined with the request to get the full certificate. You can tell, by opening Certificates.msc and look at the certificate, it always has a key icon on it and it should say 'You have a private key that corresponds to this certificate'.

Have you run the import-exchangecertificate on your server!

Also if you are using different urls to access owa, then when you first create the certificate, you must include all the Alternative subject names so that the certificate will apply to your main url and others as well!

ancos -> RE: certificate for ssl (owa use) (27.Feb.2009 2:57:28 AM)

When i check for the private key part; i dont see it; can i fix that??
Also, when i check the subject alternative names, i see a dnsname for my company, www.mycompany.com, for autodiscover; autoiscover.mycompany.com, fo my webmail; owa.mycompany.com and i see mycompany.com.
I dont see the internal address for my owa; so i think i missed that although users should be able to use the internal addres for the owa without ssl or??

pjhutch -> RE: certificate for ssl (owa use) (27.Feb.2009 5:25:07 AM)

How did you set up the request for the certifiate? Did you use IIS, Certreq, or the New-ExchangeCertificate method? Or did you use the OpenSSL tool?

If you used IIS, you need to run the Server Certificate wizard to complete the certificate and it will generate a full cert with the private key. For Certreq use the -Accept option with the appropaite files. For PowerShell, use Import-CertifiateRequest -path <file> to complete the certificate and it will install it in to the certificate store for you completed.

ancos -> RE: certificate for ssl (owa use) (27.Feb.2009 5:32:08 AM)

i used the exhange management shell and  globalsigns website

ancos -> RE: certificate for ssl (owa use) (27.Feb.2009 7:00:15 AM)

wemail without ssl is working again; had to enable the ssl @ the default website

thehutch -> RE: certificate for ssl (owa use) (16.Apr.2009 3:36:07 PM)

This was a confusing item for me to figure out as well but I found this site that helps with the certificate generation.


I was able to use this form to create the certificate request from my CAS server's power shell.  You may want to go back and enter the information in your certificate into the form and see if a vital piece is missing.  The key part of this is the alternate names field.  If you plan to secure the public URL that your OWA is hosted on you want to include it in the alternate names field. 

ratishnair -> RE: certificate for ssl (owa use) (8.May2009 3:06:27 AM)

To generate a Certificate Signing Request (CSR) on an Exchange 2007 server:

1. Open the Exchange MMC. Start, All Programs, Microsoft Exchange Server 2007, Exchange Management Concole.
2. Scroll down the opening screen until you see: Configure SSL for your Client Access Server. Click on this link. This will open a help window describing the steps to go through for this process.
3. If you don’t see it, scroll down the window until you see the text: 1. Open the Exchange Management Shell. Click on this link which will open the command line (Powershell) based window.
4. At this command line enter the following command making modifications to variables as needed (underlined items):
a. New-ExchangeCertificate -GenerateRequest -domainname webmaileu.company.org,autodiscovereu.company.org,vuk43xch01.ctsorg.company.org -FriendlyName webmaileu.company.org -subjectname "O= Corporation, OU=Company, C=US, S=State, L=City, CN=webmaileu.company.org" -privatekeyexportable:$true -path c:\webmaileu-csr.txt
5. If the command runs successfully, a CSR file will be created in the path described in the command.
6. This CSR file will be used by the Certificate Authority (CA) to generate a trusted certificate and private key for this server.
7. Once the certificate information is returned it will need to be imported on the client access server. This is done by the following steps:
a. The certificate text file should be saved on a location where the client access server can access the file.
b. If the Exchange Management Shell is not open, it will need to be opened.
c. Run the following command, making changes as needed to the underlined variables:
i. “Import-ExchangeCertificate –path c:\webmaileu.cer”
8. We now need to locate this certificate & its thumbprint to install into IIS and update the self-signed certificate. This is done by the following steps:
a. While at the command prompt in the Exchange Management Shell, type “dir cert:\LocalMachine\My | fl” and press enter.
b. Locate the certificate with the right Subject name and FriendlyName for this server.
c. Copy the Thumbprint to the clipboard.
d. At the command prompt type “enable-ExchangeCertificate –thumbprint <value copied to clipboard> -services “IIS, IMAP, POP””. Press enter.
9. The IIS virtual directories now need to be configured to use SSL. This is done by the following steps:
a. Under Default Web site, select the virtual directory that you want, for example, "owa".
b. Right-click the virtual directory, and then click "Properties".
c. Click the "Directory Security" tab.
d. In the "Secure Communications" section, click "Edit".
e. In the "Secure Communications" dialog box, make sure that both the "Require secure channel (SSL)" check box and the "Require 128-bit encryption" check box are selected.
f. Click "OK" to save your changes.
g. Restart IIS to ensure settings are saved.

Basically the same certificate gets installed on both the CAS and ISA servers.
Once the same is done, your users will have to use HTTPS for sure and if they use HTTP, they will get a page which says "This connection should be viewed over a secure channel"
You can also redirect http requests to HTTPS following : http://technet.microsoft.com/en-us/library/aa998359.aspx
Hope that answers your question :-)

ykfdf -> RE: certificate for ssl (owa use) (25.Dec.2012 2:35:47 AM)

Follow the Wizard to use an existing Certificate and apply the cert you bought.

WoW gold|Diablo 3 Gold|Guild Wars 2 gold

Gunnerrav -> RE: certificate for ssl (owa use) (12.May2013 3:40:35 AM)

Hi there,

I am facing a similar problem.My issues is as soon as copy my certificate from my local Windows XP sp3 to my HUB CAS which is running Windows Server 2003 SP2 R2 64 bit enterprise edition machine it says that digital signature is invalid.

I have already placed the certificate chains in trusted and intermediate root and if I check them they also say that digital signature is invalid.

Should I Import the certificate using a import command anyway???

Page: [1]