Sysadminsblog.com Anything for sysadmins!

2Aug/100

Generating a certificate request for Exchange

Certificates are quite important in your Exchange environment. Most of us will have a certificate server that will be used to generate certificates for internal communications. If you have such a server and have to install certificates or renew your certificates, you will have to create a certificate request. To do this you have follow the steps below:

Make sure that you have a list of the alternate URLs that your certificate will be servicing, like: CAS array hostname, AutoDiscover hostname, webmail hostname, common server name, etc.

Do the following for all servers in your farm.

Using the Exchange Management Console

  1. Click on Server Configuration and select a server in the EMC
  2. Click on New Exchange Certificate
  3. Enter a friendly name for your certificate
  4. It's possible to use a wildcard certificate, however I don't recommend this as it loosens the security internally quite a bit!
  5. Check all the options that apply to you. This will generate a list that you'll able to edit later and assign the certificate to services. I've checked the following:
    1. Outlook Web App is on the Intranet
    2. Outlook Web App is on the Internet
    3. Exchange Active Sync is enabled
    4. Exchange Web Services is enabled
    5. Outlook Anywhere is enabled
    6. AutoDiscover is used on the internet (Long URL)
  6. Add all domains on your list in the certificate domains window
  7. Fill out all fields in the Organization and Location window also define a location for the request file

Using the Exchange Management Shell

Edit the following command and execute it in EMS:

New-ExchangeCertificate  -Server 'SERVER1' -FriendlyName 'Your Exchange Certificate Name' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -SubjectName 'C=Country code,S="Region",L="City",O="Organization name",OU="Department Name",CN=CAS Array hostname' -DomainName 'server1.domain.local','server2.domain.local','otherdnsname.domain.com'

You've now generated the certificate request file time to generate the certificate itself.

  1. Go to the URL of your certificate server (http://<servername>/certsrv/) and log in.
  2. Click on Request a certificate
  3. Click on advanced certificate request
  4. Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
  5. Copy and paste the contents of the request file we generated earlier into the Base-64 encoded certificate request field
  6. Set the certificate template to Web Server (this option might not be available if you're using an account without the appropriate permissions)
  7. Click the submit button to have your request generated.

Download the certificate and import it in Exchange EMS or EMC (Import-ExchangeCertificate). You only have to assign the services to the certificate and you're all done except for testing if it works properly on all services.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\Path\to\certnew.p7b" -Encoding byte -ReadCount 0)) -FriendlyName "Exchange Certificate Name you've entered with the creation"