• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Exchange 2007 certificate.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Secure Messaging >> Exchange 2007 certificate. Page: [1]
Login
Message << Older Topic   Newer Topic >>
Exchange 2007 certificate. - 10.May2013 4:45:17 AM   
Gunnerrav

 

Posts: 10
Joined: 10.May2013
Status: offline
We are using a windows server 2003 SP2R2 enterprise 64 bit edition and we have exchange 2007 installed on it.Users log onto our email server for their emails..We are now thinking of getting a SSL certificate to establish trust.

When the user logs onto our domain name request first goes to our ISA server which we are using as proxy server from where it is redirected towards our HUB CAS server.We are publishing our site using IIS.

Last time someone tried to generate the CSR from HUBCAS, Active directory generated a Certificate on its own and the certificate we got from CA was deemed useless.So what should be a next course of action.

Do we need to get a new certificate and if yes and from where we should generate the CSR.

I am a novice at exchange still learning the nitty gritties, all this is new to me.Please bear with me.Any help will be greatly appreciated.
Post #: 1
RE: Exchange 2007 certificate. - 10.May2013 5:39:11 AM   
mohammed.yusuf

 

Posts: 96
Joined: 28.Sep.2011
From: Lancashire
Status: offline
Hi Gunnerrav,
my advise would be to get the certificate from 3rd party like Godaddy, Entrust, Comodo, Thawte etc.
To Generate a Certificate Signing Request — Microsoft Exchange Server 2007
Click Start, All Programs, and then Microsoft Exchange Server 2007.
Click Exchange Management Shell.
Copy following command and paste it into a plain-text editor like Windows Notepad in order to edit some of the fields:

New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=Your Country, l=Your Locality/City, s=Your State, o=Your organisation Name,cn=YourMainDomain.com" -domainname SubjectAlternativeName1, SubjectAltName2, SubjectAltName3, SubjectAltName4 -PrivateKeyExportable $true -path c:\certrequest.txt
you can add -PrivateKeyExportable $True if you want to enable export of the requested certificate so you can import into client's computer or server.

c — Two-letter country code of your organization's country of residence
l — Full name of your organization's locality or city
s — Full name of your organization's state or province
o — Your Organization's legally registered name (company or person's first and last name)
cn —The first/main Fully Qualified Domain Name (FQDN) to be secured that will always be visible in the certificate details

-domainname — The comma-separated list of additional domains that are included in your certificate and referred to as Subject Alternative Names (SANs). Deciding what SANs to use depends on the services you are running. You need to know how your server is configured to properly secure everything. But, depending on your configuration, consider adding the following SANs:
The external name that people use to send and receive mail ie mail.myemail.com where my email.com is your domain name.

There are lots of information and companies out there who provide SSL certificate and support if required.

(in reply to Gunnerrav)
Post #: 2
RE: Exchange 2007 certificate. - 10.May2013 5:56:58 AM   
Gunnerrav

 

Posts: 10
Joined: 10.May2013
Status: offline
Thank you mohammed.yusuf,

Yes we are getting a third party certificate.So i should log onto my HUBCAS and generate a CSR using the exchange management shell.

I followed the same procedure earlier but active directory automatically generated a certificate corresponding to the CSR I generated, which led to invalid signature on the certificate we received from the third party .

(in reply to mohammed.yusuf)
Post #: 3
RE: Exchange 2007 certificate. - 10.May2013 6:03:14 AM   
mohammed.yusuf

 

Posts: 96
Joined: 28.Sep.2011
From: Lancashire
Status: offline
Hi

When you run the command, does it generate the cert.txt in C drive?

if it does all you need to do go to 3rd party website and locate cert.exe open with notepad and copy from Begin New--- End Certificate Request for certificate request.
Active directory does not generate certificates not at least in my organization.

(in reply to Gunnerrav)
Post #: 4
RE: Exchange 2007 certificate. - 10.May2013 6:16:41 AM   
Gunnerrav

 

Posts: 10
Joined: 10.May2013
Status: offline
Hi,

Yes the file is generated and I get the thumbprint as well.
I thought the same with AD as well.But the person who was in charge of the Exchange Server earlier told me that.He tried to install the generated certificate through IIS.I can see the certificate in the personal folder.But it says that certificate is corrupted and digital signature is invalid.Now even when i copy the certificate to the HUBCAS server( originally from where the request was generated) I get that invalid digital signature on opening it.

(in reply to mohammed.yusuf)
Post #: 5
RE: Exchange 2007 certificate. - 10.May2013 6:19:55 AM   
mohammed.yusuf

 

Posts: 96
Joined: 28.Sep.2011
From: Lancashire
Status: offline
how did you get the certificate did you copy and paste from CSR in your IIS or got 3rd party certificate.

(in reply to Gunnerrav)
Post #: 6
RE: Exchange 2007 certificate. - 10.May2013 6:23:15 AM   
Gunnerrav

 

Posts: 10
Joined: 10.May2013
Status: offline
I went to the management shell of the HUBCAS server, generated a CSR and copied that to the third party's website.They generated a certificate corresponding to the CSR which i downloaded onto my computer.

(in reply to mohammed.yusuf)
Post #: 7
RE: Exchange 2007 certificate. - 10.May2013 6:52:47 AM   
mohammed.yusuf

 

Posts: 96
Joined: 28.Sep.2011
From: Lancashire
Status: offline
After your SSL request is vetted and issued, download and install all the provided files. You must install all of the files on your Microsoft® Exchange Server 2007 to complete installation
Before you begin, make sure you are logged in to your server as Administrator.
From the Start menu, click Run...
Type mmc and click OK. The Microsoft Management Console (Console) window opens.
From the File menu, click Add/Remove Snap In.
Select Certificates, and then click Add.
Select Computer Account, and then click Next.
Select Local Computer, and then click Finish.
Click OK to close Add or Remove Snap-ins.
In the Console window, expand the Certificates folder.
Right-click Intermediate Certification Authorities, mouse-over All Tasks, and then click Import.
In the Certificate Import Wizard, click Next.
Click Browse to find the certificate file.
In the bottom right corner, change the file extension filter to PKCS #7 Certificates (*.spc;*.p7b).
Select your certificate file, and then click Open.
Click Next.
Select Place all certificates in the following store.
Click Browse, select Intermediate Certification Authorities, and then click Next.
Click Finish.
From the Start menu, select Microsoft Exchange Server 2007, and then click Exchange Management Shell.
At the prompt, type the following to import the certificate:
Import-ExchangeCertificate -Path C:\CertificateFile.crt
NOTE: Replace CertificateFile.crt with the complete path and file name of your certificate.

If the output of this command doesn't copy the thumbprint of the certificate, then you must copy it manually for use in the next step.
Type the following command to enable the certificate:
Enable-ExchangeCertificate -Thumbprint paste_thumbprint_here -Services "SMTP, IMAP, IIS"
Please remember Paste the thumbprint in place of paste_thumbprint_here. Specify the services this certificate covers, using quotes. Valid service identifiers are SMTP, POP, IMAP, UM, and IIS. Do not enable services that are not in use.
Your exchange certificate is installed exit from EMS.

(in reply to Gunnerrav)
Post #: 8
RE: Exchange 2007 certificate. - 10.May2013 8:46:55 AM   
Gunnerrav

 

Posts: 10
Joined: 10.May2013
Status: offline
Thank for your help.Highly appreciated.

I tried to install the certificate on IIS which didn't work out very well.But now when I copy the cert on to the server it gives me digital signature is invalid and the chain is broken.

(in reply to mohammed.yusuf)
Post #: 9
RE: Exchange 2007 certificate. - 10.May2013 8:52:37 AM   
mohammed.yusuf

 

Posts: 96
Joined: 28.Sep.2011
From: Lancashire
Status: offline
Did you import the certificate in MMC PKCS #7 Certificates (*.spc;*.p7b)? you need to make sure Private key and Public keys should be mathematically correct. I am not sure if you are using 3rd party. It seems to me self signed certificate problem. But I can tell you why this error comes up.
You need to import the certificate in MMC as I mentioned previously.

< Message edited by mohammed.yusuf -- 10.May2013 8:58:17 AM >

(in reply to Gunnerrav)
Post #: 10
RE: Exchange 2007 certificate. - 11.May2013 2:20:00 AM   
Gunnerrav

 

Posts: 10
Joined: 10.May2013
Status: offline
Actually the certificate we have from the CA is X509 it has the .cer extension.So do I convert it to PKCS.I see the certificate imported to the personal folder.

(in reply to mohammed.yusuf)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Secure Messaging >> Exchange 2007 certificate. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter