Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Installing SSL Certificate Exchange 2010
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Installing SSL Certificate Exchange 2010 - 3.Jul.2010 9:28:42 AM
|
|
|
stosti
Posts: 58
Joined: 13.Sep.2002
From: NH
Status: offline
|
Hi,
I'm trying to generate a certificate request in Exchange 2010 for a third party certificate. I get as far as the "new exchange certificate" page and have no idea what to to with the certificate request file path. The technet artical says to pick a directory and file name. Can I create a folder called certs and make the filename tnt certificate? The name tnt is not the name of the url to enter into get to outlook web access.
Is there another way to do this? I moved a certificate from my Exchange 2003 server to an Exchange 2010 server without issue with the certificate import feature. I was sucessfull because it did not ask any questions!
Thanks,
Scott
|
|
|
|
|
RE: Installing SSL Certificate Exchange 2010 - 3.Jul.2010 3:18:58 PM
|
|
|
pjhutch
Posts: 3578
Joined: 21.Jul.2001
From: W Yorks, England
Status: offline
|
If you have an existing certificate you can export it from one server (may sure private key is included) and import it onto another server.
IF you need a brand new certificate then use New-ExchangeCertificate command to create a cert request file in a given folder e.g. c:\Certs\request.txt, then use that file to be passed to a Certifcate Authority. Also, when creating a request file, a private key is generated (BTW, this is hidden). The CA generates a certificate and return a file back which you combine with request file and private key to create a valid certificate.
If IIS is installed on the server (and does not already have a certificate), you can use IIS manager and on Directory Security tab, use the Certificate wizard to generate a request file.
Alternatively, you can use the free OpenSSL or the keytool with Java JRE to create certificate requests and certificates.
_____________________________
Peter Hutchison MCP
Exchange Administrator
University of Huddersfield
|
|
|
|
|
RE: Installing SSL Certificate Exchange 2010 - 3.Jul.2010 4:26:57 PM
|
|
|
stosti
Posts: 58
Joined: 13.Sep.2002
From: NH
Status: offline
|
Thanks!
I tried with IIS 7.0 and failed... I was able to generate one in Exchange and buy a GoDaddy certificate, complete the install and define what it will be used for. It is working fine for OWA and Active Sync with my iPhone. Where I got stuck was the end where it wanted a directory and name. It did not make it a txt file. I did not recognize the file type buy notepad did.
I have always generated them in IIS so this is a little different for me. Once I did it once it was really not all that hard.
I don't see anywhere in Exchange where you can set the encryption level. By default you get a 2048 cert. That is the minimum GoDaddy will accept now.
Scott
|
|
|
|
|
RE: Installing SSL Certificate Exchange 2010 - 22.Jul.2010 9:52:08 AM
|
|
|
RobH
Posts: 74
Joined: 9.Oct.2002
From: UK
Status: offline
|
I also got a GoDaddy Cert (good price) but I can't seem to get it right for Outlook Anywhere.
OWA works fine, Outlook AnyWhere works for Outlook 2007 SPK2 only. I tried the Exchange Connectivity test and said it worked but with warnings.
What I'm unsure about is what to set as the 'Subject Alternative Names'.
I've set the default as xyz.domain.com and my internal domain is domain.lan and the server is exchange.domain.lan so what goes on the certificate?
I really need Outlook AnyWhere to work with Outlook 2003.
|
|
|
|
|
RE: Installing SSL Certificate Exchange 2010 - 22.Jul.2010 10:30:55 AM
|
|
|
pjhutch
Posts: 3578
Joined: 21.Jul.2001
From: W Yorks, England
Status: offline
|
1. You need a Host (A) and SRV record in DNS for autodiscovery to fully work with Outlook 2003 or later.
2. Subject altermnative names. Some CA's allow multiple names to be applied to a certificate as well as the primary name. My CA does not recognise them, so you can leave it blank.
3. It should match the external name you have configured on the Client Access servers and the name that matches the url to access OWA from the internet. e.g. mail.mycompany.com
_____________________________
Peter Hutchison MCP
Exchange Administrator
University of Huddersfield
|
|
|
|
|
RE: Installing SSL Certificate Exchange 2010 - 22.Jul.2010 10:47:54 AM
|
|
|
RobH
Posts: 74
Joined: 9.Oct.2002
From: UK
Status: offline
|
quote:
ORIGINAL: pjhutch
1. You need a Host (A) and SRV record in DNS for autodiscovery to fully work with Outlook 2003 or later.
2. Subject altermnative names. Some CA's allow multiple names to be applied to a certificate as well as the primary name. My CA does not recognise them, so you can leave it blank.
3. It should match the external name you have configured on the Client Access servers and the name that matches the url to access OWA from the internet. e.g. mail.mycompany.com
Call me DUMB but I've never had to use a SRV record - how are they structured in this case?
I have server webmail.domain.com and webmail.domain.lan so what SRV record do I setup?
|
|
|
|
|
RE: Installing SSL Certificate Exchange 2010 - 22.Jul.2010 11:50:52 AM
|
|
|
pjhutch
Posts: 3578
Joined: 21.Jul.2001
From: W Yorks, England
Status: offline
|
SRV record example
Service: _autodiscover
Protocol: _tcp
Priority: 0
Weight: 0
Port: 443
Host: webmail.domain.com
_____________________________
Peter Hutchison MCP
Exchange Administrator
University of Huddersfield
|
|
|
|
|
RE: Installing SSL Certificate Exchange 2010 - 28.Jul.2010 3:33:34 PM
|
|
|
e_aravind
Posts: 118
Joined: 6.Mar.2005
From: India
Status: offline
|
I have a slightly different opinion here,
as per the
http://support.microsoft.com/kb/940881
A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
Only from Outlook 2k7 and above will make use of the SRV record during the autodiscovery.
for OL2k3:
Check if the cert.warning is not occuring when u access the OAnywhere URL
(Check if the url on CAS-server properties 3rd tab) is matching with the name on the cert. issued-to value.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
