Installing an SSL Certificate – Exchange Server 2007

Generating Your Certificate

When generating a UCC CSR, you must provide the country, city, state, company name, and the additional domains that you want included in the resulting UC certificate. The following is an example of the command you would enter using the Exchange Manage Shell utility:

New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname “c=Your Country, l=Your Locality/City, s=Your State, o=Your Corporation Name,cn=YourMainDomain.com” -domainname SubjectAlternativeName1, SubjectAltName2, SubjectAltName3, SubjectAltName4 -PrivateKeyExportable $true -path c:\certrequest.txt
Where:

c
— Two-letter country code of your organization’s country of residence

l
— Full name of your organization’s locality or city

s
— Full name of your organization’s state or province

o
— Your Organization’s legally registered name (company or person’s first and last name)

cn
— The first/main Fully Qualified Domain Name (FQDN) to be secured that will always be visible in the certificate details

-domain
— The comma-separated list of additional domains that will be included in your certificate and referred to as Subject Alternative Names (SANs).

• The SAN field is not exposed through Exchange directly. You can view it only in Certificate Manager in MMC or through the Internet Information Services (IIS) Manager. Certificates bound to a website, such as those used by IIS for Outlook® Web Access, Exchange ActiveSync®, or Autodiscover, are also viewable in IIS Manager.
• SANs do not need to be fully qualified domain names. For example, if your Intranet needs cool or example covered, you may put that as a SAN. But, you need to know how your server is configured to properly secure everything.

NOTE: -domainname attribute is not required to be completed during the CSR generation process. Our SSL Management console allows you to manage the SANs without generating new CS’s each time you want to add or remove a SAN.

-PrivateKeyExportable $true
— If you have to export a copy of the requested certificate to import it to a client computer or another server computer, you must use the -privatekeyexportable $true parameter when you create the request< -path c:\certrequest.txt
— The complete path and filename where the resulting CSR file will be placed when generated

Installing Your Certificate

After your SSL request is vetted and your certificate is issued, download and install all the provided files. You must install all of the files on your Microsoft® Exchange Server 2007 to complete installation. For more information see Downloading an SSL Certificate.

Before you begin, make sure you are logged in to your server as Administrator.

To run multiple services securely, such as SMTP, POP, IMAP, UM, and IIS, you must use a Multiple Domain (UCC) Certificate.

1. From the Start menu, click Run...
2. Type mmc and click OK. The Microsoft Management Console (Console) window opens.
3. From the File menu, click Add/Remove Snap In.
4. Select Certificates, and then click Add.
5. Select Computer Account, and then click Next.
6. Select Local Computer, and then click Finish.
7. Click OK to close Add or Remove Snap-ins.
8. In the Console window, expand the Certificates folder.
9. Right-click Intermediate Certification Authorities, mouse-over All Tasks, and then click Import.
10. In the Certificate Import Wizard, click Next.
11. Click Browse to find the certificate file.
12. In the bottom right corner, change the file extension filter to PKCS #7 Certificates (*.spc;*.p7b).
13. Select your certificate file, and then click Open.
14. Click Next.
15. Select Place all certificates in the following store.
16. Click Browse, select Intermediate Certification Authorities, and then click Next.
17. Click Finish.
18. From the Start menu, select Microsoft Exchange Server 2007, and then click Exchange Management Shell.
19. At the prompt, type the following to import the certificate:
    Import-ExchangeCertificate -Path C:\CertificateFile.crt

    NOTE: Replace CertificateFile.crt with the complete path and file name of your certificate.

20. Copy the thumbprint of the certificate.
21. Type the following to enable the certificate:
    Enable-ExchangeCertificate -Thumbprint paste_thumbprint_here -Services “SMTP, IMAP, IIS“

    NOTE: Paste the thumbprint in place of paste_thumbprint_here. Specify the services this certificate covers, using quotes. Valid service identifiers are SMTP, POP, IMAP, UM, and IIS. Do not enable services that are not in use.

22. Close the Exchange Management Shell window.