Exchange SSL Certs

Itsdacraic

Anybody here handy with these?
Have a bit of a query on them in exchange 2007.

sandleman1979

Fire away...

Will you be using a public cert or using internal from a Certificate Authority.

b1tch1n

What is it that you want to know?

Itsdacraic

Sorry guys, I've been off work sick this week. Basically the issue I was encountering is a mix of problems between Exchange 2007 autodiscover, owa and publishing it using a a new cert I had issued from RapidSSL.

I don't really have enough details at hand to structure a question properly but basically since I installed the new cert on the Default Website users have been an error regarding invalid certificate, they can then accept it and move on, and it's only a affecting those on Outlook 2007 (a small number of users).

I'll give proper details tomorrow if I feel up to going in.

Thanks

sandleman1979

From what i know about Certificates in Exchange, they have to be added using the Exchange Management shell command line tool.

As you have the certificate already you will need to concentrate on the
Import-exchangecertificate
and
Enable-exchangecertificate

First run get-exchangecertificate
This will list all certs on exchange server.

then run import-exchangecertificate c:\newcertificate.cer

Where newcertificate.cer is the cert you want to import.

Then run
get-exchangecertificate again and compare with earlier.
you need to get the thumbprint of the certificate (lots of randon numbers and letters)

Then run
Enable-ExchangeCertificate -thumbprint <<thumbprint of certificate>> -Services “IIS”

So if you cert thumbprint is 1QAZ2WSX3EDC4RFV5TGB6YHN7UJM8IK9OLP08HF5
then run
Enable-ExchangeCertificate -thumbprint 1QAZ2WSX3EDC4RFV5TGB6YHN7UJM8IK9OLP08HF5 -Services “IIS”

This will then assign the certificate to IIS, which autodiscover uses.

Hope that helps....
Been in your position before, i know the pain ;-)

b1tch1n

your correct, it is done through the Management Shell. It is a straight forward process and if you are stuck a google search will reveal it

testicle

A RapidSSL Cert probably won't do Exchange 2007. It needs to be what's known as a Unified Communications certificate, basically one that's good for the internal hostname (exchange.domain.local) the external hostname (exchange.domain.com) and the autodiscover hostname (autodiscover.domain.com)

Itsdacraic

testicle wrote: »

A RapidSSL Cert probably won't do Exchange 2007. It needs to be what's known as a Unified Communications certificate, basically one that's good for the internal hostname (exchange.domain.local) the external hostname (exchange.domain.com) and the autodiscover hostname (autodiscover.domain.com)

I got onto the server for a while this evening and I think this is the problem I am experiencing. My internal hostname is exchange.jbloggs.local, my external hostname is mobile.joebloggsIrl.com and my autodiscover is now set at autodiscover.mobile.joebloggsIrl.com (but that was from my messing around).

So you reckon a RapidSSL cert is no good in a situation like this?
I've been off work sick for a while so will give myself the full day tomorrow to try and get this sorted.

Itsdacraic

Hi, sorry for the delay but I'm back working on this now. I've found my exact issue on another forum but there is no answer to the question so I'm going to literally copy and paste the issue from there if that's ok:

one of our customers has an exchange 2007 server on their network with most of their PC's running outlook 2007.
their internal domain name and external domain(to access exchange) is different... and the internal domain is not owned by them...
for example:
internal exchange server name: exchange
internal domain name: abc123.com
FQDN for exchange(internal): exchange.abc123.com
FQDN for exchange(external + owa): mail.company123.com

they own the company123.com website and domain name... but the internal domain name they do not, someone else owns it.. and its only used internally! because of this, the SSL certificate they just recently purchased from comodo.com only supports the domain they own and therefore pops up a cert msg everytime someone opens up outlook 2007 internally because the internal domain is not in the SSL only the external...

same thing with internal domains with the .local extension.. to my knowledge SSL certs dont support those.... how do company's with different internal domain names from their external domain counterparts get these SSL certs to work?

any advice, suggestions, input, etc. is appreciated....

sandleman1979

OK i have "cheated" at this before ;-)

In your internal DNS make a new zone for company123.com
add an a record for mail and set it to the internal IP address of your exchange server.

Then the name on the certificate is set to mail.company123.com
You will need to change the internal autodiscover address to
https://mail.company123.com/autodiscover/autodiscover.xml


Then when internal users with outlook 2k7 secure the communications to the mail server it uses the name on the certificate which for internal users points to the internal IP address...

Alternatively you can add a Subject Alternate Name to the certificate which will be the internal FQDN of the mail server. downside of this is that the certificate which will be visibible to all users will show the internal fqdn of the mailserver...

Itsdacraic

sandleman1979 wrote: »

OK i have "cheated" at this before ;-)

In your internal DNS make a new zone for company123.com
add an a record for mail and set it to the internal IP address of your exchange server.

Then the name on the certificate is set to mail.company123.com
You will need to change the internal autodiscover address to
https://mail.company123.com/autodiscover/autodiscover.xml


Then when internal users with outlook 2k7 secure the communications to the mail server it uses the name on the certificate which for internal users points to the internal IP address...

Alternatively you can add a Subject Alternate Name to the certificate which will be the internal FQDN of the mail server. downside of this is that the certificate which will be visibible to all users will show the internal fqdn of the mailserver...

You're a good man.

I've added the zone and i can access owa internally via the external address, so that's a start. I have to go off to a head wreck of a meeting now for a few hours but will test it fully later. Cheers for that.
Have to go

kc66

Hi,

I dont want to barge in on someone elses thread but hopefully OP is sorted now, and I've got a similar problem.
We have a local exchange server. We want to connect 2 phones to exchange using activesync. We have a website externally hosted, domain.ie. We have a local domain, which has exchange server exch.domain.local.
I configured an A record mail.domain.ie on our hosting company's control panel to point to our company's public IP address. Our firewall is forwarding port 443 to our exchange server. So I'm not sure where we can go from here for an SSL cert. Is a SAN cert required or is there an alternative? Or is this the wrong way to go about it?

Thanks in advance for any guidance.

Edit: I think I got everything sorted with the cert. OWA working fine but Activesync getting "HTTP Error 503. The service is unavailable." Any ideas what might be wrong? In IIS AS is configured to require SSL and basic authentication.
Edit2: Sorted that but now getting authentication failed.

testicle

sandleman1979 wrote: »

In your internal DNS make a new zone for company123.com add an a record for mail and set it to the internal IP address of your exchange server.

How do you do this without breaking DNS internally for company123.com? Or do you need to copy the entire zone from the real authoratitive NS servers?

Cluster

Itsdacraic wrote: »

Anybody here handy with these?
Have a bit of a query on them in exchange 2007.

adding the SSL?