Certificates are quite important in your Exchange environment. Most of us will have a certificate server that will be used to generate certificates for internal communications. If you have such a server and have to install certificates or renew your certificates, you will have to create a certificate request. To do this you have follow the steps below:
Make sure that you have a list of the alternate URLs that your certificate will be servicing, like: CAS array hostname, AutoDiscover hostname, webmail hostname, common server name, etc.
Do the following for all servers in your farm.
Using the Exchange Management Console
- Click on Server Configuration and select a server in the EMC
- Click on New Exchange Certificate
- Enter a friendly name for your certificate
- It's possible to use a wildcard certificate, however I don't recommend this as it loosens the security internally quite a bit!
Check all the options that apply to you. This will generate a list that you'll able to edit later and assign the certificate to services. I've checked the following:
- Outlook Web App is on the Intranet
- Outlook Web App is on the Internet
- Exchange Active Sync is enabled
- Exchange Web Services is enabled
- Outlook Anywhere is enabled
- AutoDiscover is used on the internet (Long URL)
- Add all domains on your list in the certificate domains window
- Fill out all fields in the Organization and Location window also define a location for the request file
Using the Exchange Management Shell
Edit the following command and execute it in EMS:
New-ExchangeCertificate -Server 'SERVER1' -FriendlyName 'Your Exchange Certificate Name' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -SubjectName 'C=Country code,S="Region",L="City",O="Organization name",OU="Department Name",CN=CAS Array hostname' -DomainName 'server1.domain.local','server2.domain.local','otherdnsname.domain.com'
You've now generated the certificate request file time to generate the certificate itself.
- Go to the URL of your certificate server (http://<servername>/certsrv/) and log in.
- Click on Request a certificate
- Click on advanced certificate request
- Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
- Copy and paste the contents of the request file we generated earlier into the Base-64 encoded certificate request field
- Set the certificate template to Web Server (this option might not be available if you're using an account without the appropriate permissions)
- Click the submit button to have your request generated.
Download the certificate and import it in Exchange EMS or EMC (Import-ExchangeCertificate). You only have to assign the services to the certificate and you're all done except for testing if it works properly on all services.
Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path "C:\Path\to\certnew.p7b" -Encoding byte -ReadCount 0)) -FriendlyName "Exchange Certificate Name you've entered with the creation"