Exchange Server 2010 like its predecessor Exchange Server 2007 makes heavy use of SSL certificates for various communications protocols. When you install a new Exchange server is comes pre-configured with a self-signed certificate. Before putting a new server into production you should create and assign a new SSL cert for the server.
In this example an SSL cert is being configured for the contoso.local organzation.
Generate a New Exchange Server 2010 Certificate
In the Exchange Management Console navigate to Server Configuration. Right-click the server and choose New Exchange Certificate.
Enter a friendly name for the new cert. In this example I have named it “Contoso Exchange Server”.
Although wildcard certificates are supported in Exchange Server 2010 it is recommended to use a SAN (Subject Alternative Name) cert instead.
Next we can configure the names for each of the Exchange 2010 services that are secured with the SSL certificate.
First is the Outlook Web App service. Enter the internal and external names of Outlook Web App. In this example I am using “ex2010.contoso.local” for internal, and “mail.contoso.local” for external.
Next configure the ActiveSync domain name. For ease of administration and configuration I am using the same name as for Outlook Web App.
Next are the Web Services, Outlook Anywhere and Autodiscover names. Once again I am using the same name of “mail.contoso.local”. For Autodiscover the additional names of “autodiscover.contoso.local” and “autodiscover.xyzimports.local” are also configured, for each of the accepted email domains in this example organization.
The Hub Transport server also requires SSL for secure SMTP communications. In this example I am using the name “mail.contoso.local”.
A legacy name for co-existence is required if you are planning to gradually transition services and data from Exchange 2003 to Exchange 2010. Configure legacy names for each of the namespaces in the organization, in this example “legacy.contoso.local” and “legacy.xyzimports.local”.
When all of the services have been configured proceed to the next step of the New Exchange Certificate wizard.
Confirm that all of the required names have been included in the cert request. You can add any additional names at this stage before proceeding.
Next configure the organization and location information for the certificate, and choose a location to generate the request file.
When you have finished filling out the wizard click the New button to generate the cert request file.
Confirm that the request file was successfully generated.
You will notice that the wizard makes a recommendation as to the type of certificate that is required for your Exchange organization. In most cases a “Unified Communications certificate” will be necessary, which is basically another name for a SAN certificate.
Although you can issue the certificate from a private Certificate Authority it is recommended to use a commercial Certificate Authority such as Digicert.
After you have acquired the new certificate return to the Exchange Management Console, navigate to Server Configuration, right-click the server and choose Complete Pending Request.
Browse to the location of the file you downloaded from the CA and complete the wizard. Confirm that the new SSL certificate was imported successfully.
The new certificate now appears in the list of valid certificates for the server.
Assign the New Certificate to Exchange Server 2010
With the valid SSL certificate installed it is now time to assign it to the Exchange Server 2010 services. Right-click the new certificate and choose “Assign Services to Certificate”.
Choose the new Exchange server and click the Next button.
Choose the services to assign to the certificate. In this example the IIS and SMTP services are being assigned.
Complete the wizard to assign the services to the new SSL certificate. You will be prompted to overwrite the existing self-signed certificate, so choose Yes to that prompt.
About Paul Cunningham
its a very nice tutorial, but how can I create a certificate for NLB Cluster Name.
Hi Faisal, same process as above, but you also include the DNS name of the NLB cluster in the SAN certificate.
Once you’ve installed the certificate on one of the NLB cluster members you can then export it using the Certificates snap-in in MMC, copy it over to the other server, import it and then enable it for IIS on that server as well.
The export/import process is demonstrated here (well its for 2010->2003 but you should be able to work it out from that)
http://exchangeserverpro.com/export-an-exchange-server-2010-certificate-to-exchange-2003
I have two self-signed certificates in exchanges 2010 as follow
Name “Self Signed Services Issuer “Expiration Date”
True IMAP, POP, IIS, SMTP CN=WMSvc-MAIL 0109/08/2020
“Microsoft Exchange” True SMTP CN=MAIL01 04/10/2015
how to remove some services i.e. SMTP or IIS from the certificate. and assign IIS to the second certificate “Microsoft Exchange”.
Secondly can I make a backup of certificate before playing with them? so that i could restore incase of any nonsence happens
btw please dont confused my question with the previous because my name is also Faisal
Thank you
Faisal Khan
Faisal, when you use Enable-ExchangeCertificate to enable one for IIS it will automatically remove IIS from the other certificate’s uses. You can also do it via the Management Console if you prefer it that way.
You can export certificates but it shouldn’t be necessary if all you are doing is enabling them for services.
Thanks Paul, much appriciated.
Q1. how to achieve this via console. please hint?
Meanwhile what i did is I have requested a certificate from my local CA (from my first dc http://DC01/certsvr). This appears in Exchanage console as a False under self-signed. is this okay? This is not from Third party though!
Q2. As long as i am not getting proper certificate from third party, which i will do soon, would it be alright to use this certificate or you think i should get a self-signed certificate instead.
My existing self-signed certificates in exchange are messed up. Because Outlook 2007 clients has started getting Certificate YES NO message each time they open Oulook2007 since i have assigned some services (may be iis or other not sure!) to this certificate. But after requesting and installing a cert from DC01/certsvr this problem has been resolved.
Q3. now my BIGGER concern is iPhone. This bloody iPhone/iPad cann’t seem to connect with exchange on activsync.
Many Many Thanks
Q1 – See this article for instructions.
http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services
Self-signed “False” just means that it came from a CA (either private or commercial), instead of being self-generated by the Exchange server.
Q2 – I think a CA-issued cert is better than a self-signed cert, but obviously getting one from a commercial CA is better than a private CA.
Yes I would expect certificate warnings when using a self-signed certificate, and the private CA-issued one would solve that for domain members, but not for non-domain members (eg people connecting from home to OWA, or mobile devices).
Here is an article I wrote about it all:
http://www.petri.co.il/ssl-exchange-certificate-buying-commercial.htm
Q3 – You can use the website https://www.testexchangeconnectivity.com/ to test ActiveSync to see if it is just an iPhone bug or something else with your configuration.
When using certificates from a private CA you’ll need to check the box to ignore trust for SSL when running the test.
Hope that all helps.
Thank you so much paul. I am moving forward now. every problem of mine is resolved for the moment, touch wood. As a summary i am writting down all of my exchange problems i had last week and their solutions which are obviously suggested by you
1. Outlook 2007 started displaying a certificate message each time you open it up or when you click on send/receive. This probelm resolved by usaing a SAN entry in certificate as autodiscover.my-local-domainname.local in certificate.
2. iPhone was not able to activesyn with exchange. problem resolved after finding out that user should have inhertance permissions in AD. (open ADUC>right click user>properties>security>advance) and select inheretance. if you cann’t find security tab then you need to enable advance view. from top menu.
Thanks Paul for your last tip to ignore the SSL in case of using private CA. this proved as a cracking shot
Best Regards
Faisal khan
I already have a wildcard cert for my entire organization, which is used for not only our external web servers but also for OWA access in 2003. I’m having difficulty finding technical information on using the cert when moving to Exchange 2010. Can you point me to any resources?
Kim, wildcards are supported by Exchange 2010 but not all browsers and mobile devices will support them (mostly older ones though). A wildcard is also less secure in some ways than a SAN cert, but I’ve never met anyone who worries about that.
Most of our customers go with a new SAN certificate at the time of deployment which is the best outcome.
Man, this Articles ROCK!!! Thanks!!!!
Paul, what should I do on Exchage 2010 and on client to get outlookanywere going. Do i need to allow any port on firewall as well? Please advise
Thank you
Faisal
Faisal, I decided to write a new tutorial to answer your question. You can check it out here:
http://exchangeserverpro.com/how-to-configure-exchange-server-2010-outlook-anywhere
Thanks….
Hi Thanks for the article , I have exchange 2010 running ,
is it risk free to assign services to new certificate , does this
affect existing connected users from LAN ?
I would schedule it for outside of business hours in case there are any problems from the change.
Hello,
We have Exchange 2010 SP1 with two CAS/HUB servers in CASArray and two MailBox Servers with DAG enabled.
Question 1:
For CAS array I am using outlook.domain.local (DNS Record) and I am going to buy a SAN certificate from digicert.com, please see names that I am going to include in this certificate and please correct me if I am wrong:
Outlook.domain.local (internal NLB for Client access array)
Ep-cas01.domain.local (for outlookanywhere)
Ep-cas02.domain.local (for outlookanywhere)
Webmail.domain.com (OWA,POP3,SMTP)
Autodiscover.domain.com (for autodiscover)
domain.com
Question 2:
We already have regular (not SAN) SSL Certificate for webmail.domain.com. Can we assign this certificate for IIS,POP and SMTP services instead of buying SAN Certificate.
Thank you
Alex, check with the certificate provider whether they will issue you a cert for a .local name. I think not all of them will.
Hello Paul,
Thank for the quick respond.
My Exchange 2010 SP1 environment contained following servers:
Ep-cas01.domain.local
Ep-cas02.domain.local
CAS Array for these CAS servers is “outlook.domain.local”, and two mailbox servers with DAG
For OWA we are using “webmail.domain.com”
DigiCert and VeriSign allow to use “.local” domain names and they suggest to add netbios names to the certificate as well. (http://www.digicert.com/ssl-support/exchange-2010-san-names.htm)
http://www.digicert.com/unified-communications-ssl-tls.htm
http://www.verisign.com/ssl/buy-ssl-certificates/specialized-ssl-certificates/san-ssl-certificates/index.html
Could you please advise me what names I have to put into certificate:
Outlook.domain.local
Ep-cas01.domain.local
Ep-cas02.domain.local
Webmail.domain.com
Autodiscover.domain.com
Autodiscover.domain.local
Should I add netbios name of my Exchange server(s) into certificate?
Thank you
Alex
Hi,
Should I add autodiscover for internal and external domain in my SAN Certificate?
For example:
autodiscover.domain.com
and
autodiscover.domain.local
Or I can add only one to the certificate?
Thank you
You would need an autodiscover name for each SMTP namespace in your organization. You can have more than one autodiscover name on a SAN certificate.
I created the new certificate request, but it’s just sitting there. How do I get it to become a .cer?
Matt, the next step explained in the article is to submit the certificate request to a Certificate Authority who will then issue you the SSL certificate. The suggested CA in the article is Digicert.
After creating and adding the SSL cert to CAS exchange2010 server. The current remote users outlook exchange proxy settings URL is https://exchange2003.domain.com. Can this outlook setting stay the same till the mailbox has been moved from exchange 2003 to 2010? If no, it there a script or something that can change it without the users knowing about the change. Also, same question with internal users outlook profile point to exchange2003 vs exchange2010 till the mailbox has been moved?
Thank you.
Hi Alan, they can keep using the same name. In fact you can transition that name across to Exchange 2010 if you wanted to. See here for details about migrating Client Access services from 2003 to 2010.
http://technet.microsoft.com/en-us/library/ee332348.aspx
Internal uses will have the Exchange 2003 server name in their Outlook profile until you move them to a 2010 mailbox server, and the profile will automatically update to the new server name (of the CAS that is the RPCClientAccessServer for their mailbox database) at that time.
Hi,
We experienced the same issue with Exchange 2010 and Outlook 2010.
We decided to import the self-signed certificate into the a GPO (Trusted Root Certification Authorities). The thing is this works for a mailbox user who is in fact Domain Admin, but a regular user still gets the certificate warning message. Something to do with rights?
Any suggestions?
Thank you!
Hi Timothy, should work fine for regular users too. Are you sure your GPO change is applied to the users? ie not filtered out in some way, have they run GPupdate? Check RSOP and make sure it is applying? That’s where I would start looking.
Hi Paul,
There was something else that was causing this. The normal users have proxy enabled and the domain admin doesn’t. I put the “https://” in the bypass proxy and the problem is now solved.
Thanks you for quick response!
Hi Paul
Is there anyway to configure separate certicates for internal and external names.
Could be a security issue showing those internal names on public certificates?
Thx!!!
If you’re using ISA or TMG to publish Exchange externally you could get a second certificate that doesn’t have the internal names in it. But then of course that costs you basically twice as much.
Consider also that your internal names might be exposed already through the headers in emails unless you made some config changes to hide them.
Knowing your internal server names is not much help to someone unless they can break into your network anyway. And once they’re in discovering names is pretty easy
Thx Paul
I was thinking about separated sites for internal and external Exchange access. One using only internal names and the other one using external names. So only would be necessary to buy the external one. The other could be autogenerated in the coporate CA. But i dont know if tits possible the configuration of the separated IIS sites to work with Exchange.
However, with your comments regarding the security, it appears to be unnecesary this (im)possible solution.
Thx for the quick response!!
If you’re publishing via ISA/TMG there is no need for multiple sites (or virtual directories), unless you need different authentication settings between them.
If you’re publishing Exchange directly through a firewall (ie without ISA/TMG) and you want to use different sites/virtual directories to bind different SSL certs to, then yes I guess that would achieve what you’re trying to achieve.
And yes you can just use the internal CA to issue the cert for internal use.
All up to you really
Hi Paul,
Is it safe to remove the pre-configured self-signed certificate that Exchange 2010 created? I have a new SAN certificate from DigiCert and have assigned IIS service to use it. My SMTP, IMAP, and POP are still using the self-signed certificate. Should assign all these services to use the SAN certificate from DigiCert and remove the self-signed one? Please let me know.
Thanks,
Kevin
I usually just leave it alone
Hi Paul.
I have just implemented a SAN sertificate, and run into problems with Outlook 2010.
I have the following subject:
remote.domain.local
Subject Alternative name:
remote.domain.local
autodiscover.domain.local
autodiscover.domain.no
exchange-server.domain.local
Autodiscover works fine, but when I try to start Outlook, it will promt for username and password, and I never get connected.
I first had not implemented exchange-server.domain.local as a Subject Alternative name, and then Outlook 2010 worked, but complaind about the missing value. After adding exchange-server.domain.local everything looked fine – no errors, until firs reboot, but then I was promted for username and passwor.
OWA works fine.
Any bright ideas?
Ulf
It is possible your Outlook clients are making a HTTP connection via Outlook Anywhere, and Outlook Anywhere is configured for Basic Authentication.
Wow. I had local users getting an server cert errors on Outlook launch for weeks. Thank you so much. That was easy as pie. Even easier than pie. Many thank yous!!
Why is it recomended that you use a san certificate? and what problems might you expect when using a wildcart certificate?
Just check that all of the browsers and mobile devices you’re expecting will be connecting to Exchange support wildcards. Some don’t, but it is mostly older ones.
Thanks for the info, we only use new browsers and recent android. So this shouldn’t be a problem.
Do you known of any problems with outlook 2010 and a wildcart certificate, because i could only find some articles about outlook 2010.
I’ve used a wildcard in my lab with Outlook 2010 and didn’t notice any problems. All prod environments I work with use SAN certs though, so I haven’t had the opportunity to really test wildcards in the real world.
Hi Paul,
I am in the process of migrating from Exchange 2003 – 2010. I have one Exchange 2010 server installed so far and only a few users on it yet. I wanted to get the certificates on before I deploy it so I went through the wizard and selected pretty much what you show in your example but when I submitted my request to Geotrust to get a certificate it was mapped to my domain name only – example – domainname.edu and not my mail server name or my external link name – example – mail.domainname.edu. When I complete the pending request in Exchange the cert was applied but nothing worked right – i got errors on my OWA accounts and on my desktops. I did not use the wildcard option in the wizard. I even tried resubmitting the cert with the external mail link name thinking that only the people accessing email through the web or activesync/imap user were using the certificate. That made the OWA users happy but not the desktops – they continue to pop up a certificate warning every time I open Outlook 2010.
Any idea what I am doing wrong? It seems pretty straight-forward
Hi Sylvia, what type of certificate did you order from them?
We buy a bulk package of standard SSL certs – from Geotrust rapidSSL. I don’t think I can do a SAN cert using these certs. There is no option for anything except what pulls up from the request. No enterprise certs.
Yep, sounds like you’ve got just a standard/single-name cert there. Has to be a SAN cert for the multiple names to work. Looks like Geotrust refers to it as a UC/SAN cert on their sales pages:
http://www.geotrust.com/ssl/ssl-certificates-san-uc/
Hello,
For Exchange 2010 SP1 environment with CAS Array, should I add CAS servers netbios names to SAN certificate or I can add only CAS servers FQDN names?
Thank you
It depends, do any of your users access OWA internally by entering the short name of the server? If not then just the FQDN should be fine.
Thanks for reply.
All internal and external users will use external URL for OWA (https://webmail.domain.com/owa).
In that case I should add only FQDNs of my CAS (cas1.domain.local and cas2.domain.local) server and virtual CAS Array (casarray.domain.local) name to the certificate + webmail.domain.com + autodiscover.domain.com and autodiscover.domain.local.
Am I right?
Thank you
Sorry about the delay on replies. Your CAS Array name may not need to go into the SAN cert, it depends if clients will be making SSL connections specifically to that name. But there is no harm in adding it.
We have spoke with Microsoft about this and they told us following :
Fqdn servers with all roles on it (cas,mbx, hub) , should be include in certificate. If you use cas array, only cas array Fqdn should be in certificate, do not need include Fqdn or netbios names of cas array member servers to San certificate. Autodiscovery for internal and external domain should be in certificate. All owa names should be in certificate.
Thanks
I’ve had advice that goes both ways on that one (CAS Array name). Seems to hinge on whether the CAS Array name is also the same DNS name as services such as OWA.
Hi,
Can we use Active directory certificate service (windows server 2008 R2 )for exchange 2010 Client connectivity.
Thanks
UNAIS
I have installed the SAN certificate on both CAS servers. I did not include the name fo the CAS servers or array on the certificate. I am getting a certificate error on OWA. Any way to get around this?
Depends on the error you’re getting. But I would guess, without knowing all the details of your situation, that reissuing the certificate with the correct server names included in it would be a start.
Great article!
BUT is this all done automaticaly when we use the trusted certificate wiazard in the sbs 2011 console?
I’m having trouble accessing RWA outside the network plus activesync aint working for mobile devices either.
SSL looks fine from inside the browser on the network though!
SBS is as always a little bit special
Your internal, domain-joined clients will trust the certificate that SBS creates, but external non-domain joined clients (and things like smartphones) will not.
There is usually a little cert installer package you can download from your SBS server to deploy to non-domain joined clients so that they trust the cert. Also ActiveSync phones usually have an option to ignore SSL certificate trust problems.
I understand that but even after installing a trusted cert, we cannot access anything outside the network. I even installed a cert on my iPhone but still it won’t connect outside the network.
When i run a Exchange Activsync scan i get this error………..
Testing the SSL certificate to make sure it’s valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server remote.burningdesirewales.co.uk on port 443.
ExRCA wasn’t able to obtain the remote SSL certificate.
Additional Details
The certificate couldn’t be validated because SSL negotiation wasn’t successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Is this a certificate problem? If so would installing a certificate the way you have solve my problem?
Regards
Mat
Looks like some other firewall or server issue going on there.
I have been able to generate and import the certificate on my first CAS server (the one where I issued the request). But somehow I’m unable to import the cert onto the second CAS node. I can’t export the cert from node1 with the private key because it’s a digicert issued certificate.
How can I enable the cert on the 2nd node? The FQDN’s of both CAS hosts and CAS array name are correctly listed in the cert.
I’m at a loss here
I’d suggest contacting Digicert support. I’ve exported/imported their certs before.
Good afternoon Paul,
I have a question about the certificate. I have a machine running exchange 2010 and already has certificate.
I’m upgrading my accounts to a new server. Can I install the new certificate after the migration of mailbox?
Thank you.
What roles is the new server running? If it just Mailbox server role then no cert necessary. If it is running CA/HT roles then a new cert will be necessary, and I always configure things like certificates before putting a server into production.
Paul –
I have a strange predicament, I have inherited a domain with an internal name ending with .gov. External name is slightly different due to restrictions. Want to create a SAN with internal and external domain names as required, but cert authority informs I need to register my internal name as it is an external designation. Problem is the governing board for .gov names will not allow us to register it as it is not the format they allow – even thought it is for our internal use. Our AD is 2008R2 but too large for a domain rename (the thought makes me shutter) besides I think Exchange is one of the apps that is not compatible with it. My question is – can I have two cetificates assigned to my CAS array, The Commercial SSL for external users and an internal self signed certificate for my internal clients? Will Outlook autoconnect work properly?
Thanks in advance.
John
Paul –
Are there any comments you can provide on my situation? Greatly appreciated.
Thanks.
John
Yes you can use a mix of certificates issued by private and public CAs.
Use the privately issued certs on your internal servers, including the external name on the internet-facing CA servers as well.
Then request a separate cert from the public CA for the external name(s) and bind that cert to your ISA Server listener.
why email are being queued on exchange server 2003 sending to exchange 2010?
Dear
I am create two dertificate in CAS and i need to remove please can help me to provide the step…
Hi Paul,
Recently I installed a SAN certificate on my exchange server. On 1st eveything went fine, but on second server when I enabled the exchange certificate it gave me the below error
This certificate will not be used for external TLS connections with an FQDN of ‘mail1.X.X.COM’ because the self-signed certificate with thumbprint ‘AAA-THUMBPRINT-AAAAAAA’ takes precedence.
Now on second server I see a red mark on the certificate
I have all the names external and internal on the SA certificate.
Please could you let me know if this would create any problems on my exchange servers
I’d just unassign the certificate that you don’t want to use from SMTP.
In OWA 2010 after logging when I click on the New Button or any other buttons nothing happens. Unable to create reply or delete any messages. However, if I access OWA directly from server everything works fine.
Any idea what it fails in OWA?
Thanks in Advance
Dan
Is your browser blocking popups?
I uninstalled and reinstalled the certificate on the 2nd server and everything looks fine now. I am able to access OWA without any issues.
Thanks Paul