Exchange Server 2010 makes use of SSL certificates for securing network communications between servers and clients. An example of this is Outlook Web App (OWA) which uses the HTTPS protocol for users connecting via their web browser (eg https://webmail.company.com/owa).
In this article:
- Introduction to SAN Certificates for Exchange Server 2010
- Enabling SAN Certificate Support for Windows Server 2003 Certificate Services
- How to Request a SAN Certificate for Exchange 2010
- Completing a Pending Certificate Request for Exchange Server 2010
Introduction to SAN Certificates for Exchange Server 2010
Traditionally SSL certificates were issued for a single name (such as the webmail name above), however this is very limiting because once an SSL certificate is bound to an IP address that IP address is not able to accept connections addressed to different names over SSL, or at least not without the name mismatch causing a warning message to the connecting client.
This became an issue for Exchange Server 2007 and 2010 because, depending on the server roles installed, the server may need to accept SSL connections to several different names such as:
- the server’s FQDN (eg ex3.exchangeserverpro.net)
- webmail and other published names (eg webmail.exchangeserverpro.net, mail.exchangeserverpro.net, mobile.exchangeserverpro.net)
- multiple DNS namespaces (eg autodiscover.exchangeserverpro.net, autodiscover.xyzimports.com)
Configuring multiple IP addresses, DNS records, IIS instances, and SSL certificates for all of the possible names in an Exchange organization would be tedious and expensive.
The X.509 certificate standard has catered for this for a long time now with a feature known as Subject Alternative Names. Basically this allows a single SSL certificate to be configured with a primary name and then multiple alternative names, making it valid for all of the required names that clients and other servers will be connecting to.
SAN certificates are available from most commercial providers however some organizations choose to issue them from their own private certificate authority. Windows Server 2008 Certificate Services supports SAN certificates by default, however Windows Server 2003 requires the option to be manually enabled first.
Enabling SAN Certificate Support for Windows Server 2003 Certificate Services
You can check an existing Windows Server 2003 CA for SAN support by using the certutil utility from a command prompt.
C:\>certutil -getreg policy\EditFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ca\Po
licyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:
EditFlags REG_DWORD = 15014e (1376590)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ADDOLDKEYUSAGE -- 8
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ENABLEDEFAULTSMIME -- 10000 (65536)
EDITF_ENABLECHASECLIENTDC -- 100000 (1048576)
CertUtil: -getreg command completed successfully.
If there is no EDITF_ATTRIBUTESUBJECTALTNAME2 flag then you can enable it by running the following command.
C:\>certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ca\PolicyModules\Certifi
cateAuthority_MicrosoftDefault.Policy\EditFlags:
Old Value:
EditFlags REG_DWORD = 11014e (1114446)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ADDOLDKEYUSAGE -- 8
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ENABLEDEFAULTSMIME -- 10000 (65536)
EDITF_ENABLECHASECLIENTDC -- 100000 (1048576)
New Value:
EditFlags REG_DWORD = 15014e (1376590)
EDITF_REQUESTEXTENSIONLIST -- 2
EDITF_DISABLEEXTENSIONLIST -- 4
EDITF_ADDOLDKEYUSAGE -- 8
EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
EDITF_ENABLEAKIKEYID -- 100 (256)
EDITF_ENABLEDEFAULTSMIME -- 10000 (65536)
EDITF_ATTRIBUTESUBJECTALTNAME2 -- 40000 (262144)
EDITF_ENABLECHASECLIENTDC -- 100000 (1048576)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.
Next you must restart Certificate Services for the change to take effect.
C:\>net stop certsvc The Certificate Services service is stopping. The Certificate Services service was stopped successfully. C:\>net start certsvc The Certificate Services service is starting. The Certificate Services service was started successfully.
The server is now ready to issue SAN certificates.
How to Request a SAN Certificate for Exchange 2010
The next step is to create a certificate request from the Exchange server. You can perform this task from the Exchange Management Shell, or from the console.
For an example of the Exchange Management Console steps see the previous article here.
From the Exchange Management Shell use the New-ExchangeCertificate cmdlet to generate a certificate request. In this example I am requesting a certificate with the following attributes:
- A friendly name of “Exchange 2010 Certificate”
- The server’s FQDN
- The alternative names of mail.exchangeserverpro.net, autodiscover.exchangeserverpro.net, and webmail.exchangeserverpro.net
I’m also using -GenerateRequest to create a certificate request rather than simply creating a self-signed certificate.
[PS] C:\>New-ExchangeCertificate -FriendlyName "Exchange 2010 Certificate" -IncludeServerFQDN -DomainName mail.exchangeserverpro.net,autodiscover.exchangeserverpro.net,webmail.exchangeserverpro.net -GenerateRequest -PrivateKeyExportable $true
The command will output a certificate request that looks similar to this.
-----BEGIN NEW CERTIFICATE REQUEST----- MIIEPDCCAyQCAQAwJTEjMCEGA1UEAwwabWFpbC5leGNoYW5nZXNlcnZlcnByby5u ZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnbhSAM0y26udUo/+8 yvufXrv0AcuzcLYc/9wxNjgOZjmkQUqXEvrxXXrIzCciWL1KDTYjJyVXNkjqCsB3 8tdLWS7tLR/OLj0Px7bsUkTuJKl95DeYGJwxginMjvVKrdxMkPJloWY6i+5ZzHfs jhK0+bboyaoQMopwnya7AK0H5AfSDUd+hFzbgpX8hdj7hkMVwCS257/fsNkoJbxA xC7C9Yk06onHypefiz+uTubNULjKBKdtJiyesj6hakyG1tFddsvv6yqwjtAefyVZ vYWbkSJiXTwALuOrePlt3wGa12ZxqYwl2Mf98gdb2fTq2M6TosPE0PIxoDZvBzV2 IHZxAgMBAAGgggHQMBoGCisGAQQBgjcNAgMxDBYKNi4xLjc2MDAuMjBlBgkrBgEE AYI3FRQxWDBWAgEFDBtFWDMuZXhjaGFuZ2VzZXJ2ZXJwcm8ubG9jYWwMEEVYQ0hT RVJWUFJPXEVYMyQMIk1pY3Jvc29mdC5FeGNoYW5nZS5TZXJ2aWNlSG9zdC5leGUw cgYKKwYBBAGCNw0CAjFkMGICAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBB ACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAg /wQEAwIFoDCBhQYDVR0RBH4wfIIabWFpbC5leGNoYW5nZXNlcnZlcnByby5uZXSC ImF1dG9kaXNjb3Zlci5leGNoYW5nZXNlcnZlcnByby5uZXSCHXdlYm1haWwuZXhj aGFuZ2VzZXJ2ZXJwcm8ubmV0ghtFWDMuZXhjaGFuZ2VzZXJ2ZXJwcm8ubG9jYWww DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUbaUvsgyyRXS0lEHebbnvEqpd7VwwDQYJ KoZIhvcNAQEFBQADggEBAEQ5GtxZGMf3rw+gGuIj+A8exB7bM2aSg9Z9X6RyNtHX 3iuCHPEOUdkZFSTR3CWoMal1FcH/r1yzCPXKTWDtyMIzi4tiHA/+V2nXALhH6Fbv c8G0l47iIGlbvuBkBDTxhmLubXgXGAp1dRfwRXd1Vqy0eDe/0LxlUAwq+Kb/RRLw UaUf3eVrbQUpWNqEmLcorp3mpwnoqAB+GhP+j0ERCquP629xdlHS2yz3fNfn4xGU Sv/i5FLUf6WmVJu+kjQ50wlh5nE+XiwQmsta0MNUnqIXu9dDXnOpx+VdmuKdEXlh /zAHMofanelZ/UUBv7mdwMG3E5U17nJ/VoiIAZAygg0= -----END NEW CERTIFICATE REQUEST-----
Copy the output to your clipboard for the next steps.
Open your web browser and navigate to the web enrollment URL of your Certificate Services server (eg http://ca-server/certsrv). Click on Request a Certificate. Note if you are running a Windows Server 2003 CA you may need an update to the web enrollment pages before you can proceed any further.
Choose Advanced Certificate Request.
Choose to Submit a Certificate request…, because we’ve already generated the request on the Exchange server earlier.
Paste the generated certificate request data into the form, and choose Web Server as the certificate template. Click Submit to continue.
When the certificate has been issued download the certificate file to your Exchange server.
Completing a Pending Certificate Request for Exchange Server 2010
The certificate has been issued and downloaded, and now the pending certificate request needs to be completed for Exchange Server 2010.
Launch the Exchange Management Console, navigate to Server Management, and choose the server that you imported the certificate to. Right-click the new certificate and choose Complete Pending Request.
Browse and select the certificate file that was downloaded, and the continue to complete the wizard.
The certificate has now been installed and is ready to be assigned to Exchange services.
If you encounter an error message stating that “The certificate is invalid for exchange server usage” then see this article for the solution.
About Paul Cunningham
I was stuck with the Certification server policy. That worked also for Windows Server 2008 CertSrv.
Thank you. I’ll reference this doc in my blog.
i don’t get the “begin new certificate request”/”end new certificate” text output after i run the new-”exchangecertificate … -generaterequest” command. i just get a thumbprint.
Thumbprint Services Subject
———- ——– ——-
C527BEEE14788799C6C602AAF7D6DEBFDA8509D0 …… CN=sisexcp9.student.dom
i ran the command on an exchange 2010 sp1 server running on 2008 r2.
Hi Curtiss, if you’re having problems with the shell try using the console to generate the cert request instead. Steps are here:
http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010
Hi again, I’ve applied the new SAN certificate (created a new CA on the CAS with Windows Server 2008 R2 and issued a certificate) and assigned services (IMAP/POP/IIS/SMTP) , all worked fine for my domain joined PCs but a pc with Outklook 2010 says “the security certificate was issued by a company you have chosen not to trust “.
Can you help with this? Thanks.
your machines or users with outlook 2010 have to trust the publisher of the certificate. you can use group policy to publish the CAS’s “root certificate” to the “trusted publishers” certifcate store. outlook 2007 did not throw this error for self-signed or untrusted certificates. if the problem pc is not a domain pc, you can manually put the root certificate into trusted publishers on that pc with the Certificates mmc console.
i have installed En root CA on my Additional AD (windows 2008 r2), do you recommend it?
i just install Exchange 2010 sp1.
And i failed to issue certificate by the CA console and Web enroll, in the web enroll i cant select “web server” in certificate template. only contain “user” and “basic EFS”.
i had tried by issuing certificate request by Exchange 2010 EMC and EMS.
What can i do to over come this?
You can use your own CA if you like it just means non-domain members will not trust the CA until you deploy the root certificate to them.
If you’re not seeing the web server template I’d say your account doesn’t have permissions to request that type of cert.
What about the private key. I thought that had to be exportable when you did an Exchange Self Signed Certificate?
This article doesn’t describe a self-signed cert, it describes how to issue a cert to Exchange from a private CA.
Hello, thanks for your articles about SAN certificates. I have a Q about SAN names. In the real world, SAN certificate for Ex 2010 must includes these names in cert : in the case of internal and external domain
- server FQDN (server.company.local)
- name for webaccess for external users (webmail.mycompany.com)
- name for autodiscover (autodiscover.mycompany.com)
- name for webaccess for internal users (webmail.mycompany.local)
And netbios name of server (for example “server”) is needed too ? I have read many artciles, some says you do not have to include netbios name, some articles says you have to include the netbios name.
So what about netbios name in the SAN ?
Thanks for reply.
Netbios would be needed if you plan to have your internal users hitting OWA (for example) by using the server’s Netbios name. As long as they’re hitting the FQDN then no need to include the Netbios name.
Hi, everybody! i need your help, Powershell show this error when runing with “certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2″ command: Certutil: -setreg command failed: 0x8007000d, Certutil: The data is invalid
How i can fix this?
Are you copy/pasting the command from a web page, or typing it out yourself?
No, type it out myself…. but on command promt cetutil is runing without troubles, now, another problem, Exchange SA service is not running automatically and test -servicehealth command shows Mailbox Server Role: False, how i can fix this problem?