Installing SSL Certificate Exchange 2010 (Full Version)

All Forums >> [Microsoft Exchange 2010] >> Outlook Web Access



Message


stosti -> Installing SSL Certificate Exchange 2010 (3.Jul.2010 9:28:42 AM)

Hi,

I'm trying to generate a certificate request in Exchange 2010 for a third party certificate. I get as far as the "new exchange certificate" page and have no idea what to to with the certificate request file path. The technet artical says to pick a directory and file name. Can I create a folder called certs and make the filename tnt certificate? The name tnt is not the name of the url to enter into get to outlook web access.

Is there another way to do this? I moved a certificate from my Exchange 2003 server to an Exchange 2010 server without issue with the certificate import feature. I was sucessfull because it did not ask any questions!

Thanks,
Scott




pjhutch -> RE: Installing SSL Certificate Exchange 2010 (3.Jul.2010 3:18:58 PM)

If you have an existing certificate you can export it from one server (may sure private key is included) and import it onto another server.

IF you need a brand new certificate then use New-ExchangeCertificate command to create a cert request file in a given folder e.g. c:\Certs\request.txt, then use that file to be passed to a Certifcate Authority. Also, when creating a request file, a private key is generated (BTW, this is hidden). The CA generates a certificate and return a file back which you combine with request file and private key to create a valid certificate.

If IIS is installed on the server (and does not already have a certificate), you can use IIS manager and on Directory Security tab, use the Certificate wizard to generate a request file.

Alternatively, you can use the free OpenSSL or the keytool with Java JRE to create certificate requests and certificates.




stosti -> RE: Installing SSL Certificate Exchange 2010 (3.Jul.2010 4:26:57 PM)

Thanks!

I tried with IIS 7.0 and failed... I was able to generate one in Exchange and buy a GoDaddy certificate, complete the install and define what it will be used for. It is working fine for OWA and Active Sync with my iPhone. Where I got stuck was the end where it wanted a directory and name. It did not make it a txt file. I did not recognize the file type buy notepad did.

I have always generated them in IIS so this is a little different for me. Once I did it once it was really not all that hard.

I don't see anywhere in Exchange where you can set the encryption level. By default you get a 2048 cert. That is the minimum GoDaddy will accept now.

Scott




RobH -> RE: Installing SSL Certificate Exchange 2010 (22.Jul.2010 9:52:08 AM)

I also got a GoDaddy Cert (good price) but I can't seem to get it right for Outlook Anywhere.

OWA works fine, Outlook AnyWhere works for Outlook 2007 SPK2 only. I tried the Exchange Connectivity test and said it worked but with warnings.

What I'm unsure about is what to set as the 'Subject Alternative Names'.

I've set the default as xyz.domain.com and my internal domain is domain.lan and the server is exchange.domain.lan so what goes on the certificate?

I really need Outlook AnyWhere to work with Outlook 2003.




pjhutch -> RE: Installing SSL Certificate Exchange 2010 (22.Jul.2010 10:30:55 AM)

1. You need a Host (A) and SRV record in DNS for autodiscovery to fully work with Outlook 2003 or later.

2. Subject altermnative names. Some CA's allow multiple names to be applied to a certificate as well as the primary name. My CA does not recognise them, so you can leave it blank.

3. It should match the external name you have configured on the Client Access servers and the name that matches the url to access OWA from the internet. e.g. mail.mycompany.com




RobH -> RE: Installing SSL Certificate Exchange 2010 (22.Jul.2010 10:47:54 AM)

quote:

ORIGINAL: pjhutch

1. You need a Host (A) and SRV record in DNS for autodiscovery to fully work with Outlook 2003 or later.

2. Subject altermnative names. Some CA's allow multiple names to be applied to a certificate as well as the primary name. My CA does not recognise them, so you can leave it blank.

3. It should match the external name you have configured on the Client Access servers and the name that matches the url to access OWA from the internet. e.g. mail.mycompany.com



Call me DUMB but I've never had to use a SRV record - how are they structured in this case?

I have server webmail.domain.com and webmail.domain.lan so what SRV record do I setup?




pjhutch -> RE: Installing SSL Certificate Exchange 2010 (22.Jul.2010 11:50:52 AM)

SRV record example

Service: _autodiscover
Protocol: _tcp
Priority: 0
Weight: 0
Port: 443
Host: webmail.domain.com




e_aravind -> RE: Installing SSL Certificate Exchange 2010 (28.Jul.2010 3:33:34 PM)

I have a slightly different opinion here,

as per the
http://support.microsoft.com/kb/940881
A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service

Only from Outlook 2k7 and above will make use of the SRV record during the autodiscovery.


for OL2k3:
Check if the cert.warning is not occuring when u access the OAnywhere URL
(Check if the url on CAS-server properties 3rd tab) is matching with the name on the cert. issued-to value.




Page: [1]