How to Issue a SAN Certificate to Exchange Server 2010 from a Private Certificate Authority

In this post we will see How to Issue a SAN Certificate to Exchange Server 2010 from a Private Certificate Authority. We know that Exchange server 2010 makes use of SSL certificates in order to secure network communications between the servers and clients. When you install Exchange Server 2010, SSL is required for many services both internally and externally. The Client Access Server role has SSL enforced for services like Outlook Web App, Active Sync, Outlook anywhere etc. You can disable the SSL but why would one do that and allow communications over insecure HTTP connections.

When you install Exchange server 2010, a self-signed SSL certificate is also installed by default. This self-signed certificate will not be not be trusted by clients or any devices because its a self-signed cert. The SSL certificates for Exchange server can be purchased from popular Certificate Authorities like Verisign, Digicert, Comodo etc.

Note :- The SAN cert that we are going to issue to our exchange server(EXCHANGE.PRAJWAL.LOCAL)  is a part of PRAJWAL.LOCAL Organization. The Certificate Authority role has been installed on the machine where AD DS is installed(Domain Controller).  You can save your money by assigning certificate from a private Certification Authority for lab purpose.

Firstly we will see how to generate new exchange 2010 certificate. Click on Start, All Programs, Microsoft Exchange Server 2010, Exchange Management Console. Click on Server Configuration, under Exchange Certificates right on the white space and select New Exchange Certificate.

How to Issue a SAN Certificate to Exchange Server Snap 1

Provide a friendly name for the certificate. Click Next.

How to Issue a SAN Certificate to Exchange Server Snap 2

Exchange server 2010 supports wildcard certificate, but in this example we will use SAN Cert. Click Next.

How to Issue a SAN Certificate to Exchange Server Snap 3

We will configure the services one by one. For Outlook WebApp Service– provide the internal and external names. For Exchange Active Sync Service – Provide the domain name as exchange.prajwal.local. Scroll the right bar down.

How to Issue a SAN Certificate to Exchange Server Snap 4

Provide the external host name for your organization, in my case its exchange.prajwal.local.

How to Issue a SAN Certificate to Exchange Server Snap 5

Under Hub Transport Server, Check the box “use mutual TLS to help secure internet mail“, set the FQDN of connector to exchange.prajwal.local. Click Next.

How to Issue a SAN Certificate to Exchange Server Snap 6

In the Certificate Domains we see  2 entries, autodiscover.prajwal.local and exchange.prajwal.local. Click Next.

How to Issue a SAN Certificate to Exchange Server Snap 7

Fill out all the details which will be included in the cert. At the end click on Browse and save the certificate request file. The request file is saved with .req and can be viewed using Notepad application. Click Next.

How to Issue a SAN Certificate to Exchange Server Snap 8

Click Finish to close the Exchange cert wizard.

How to Issue a SAN Certificate to Exchange Server Snap 9

Open the .req file with Notepad. Select all the data and copy it.

How to Issue a SAN Certificate to Exchange Server Snap 10

On the exchange server, open the internet explorer, type the URL http://CertificateAuthorityServername/Certsrv. In my case the CA is 192.168.100.1 so the URL will be http://192.168.100.1/certsrv.Enter the credentials and click OK.

How to Issue a SAN Certificate to Exchange Server Snap 11

Click on Request a Certificate.

How to Issue a SAN Certificate to Exchange Server Snap 12

Select Submit an advanced certificate request.

How to Issue a SAN Certificate to Exchange Server Snap 13

Since we have already copied the data from .req file, click on second link – Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file.

How to Issue a SAN Certificate to Exchange Server Snap 14

Paste the content copied from .req file  in the saved request box, Choose Web Server as Certificate Template. click Submit.

How to Issue a SAN Certificate to Exchange Server Snap 15

Save the file to a location on your computer.

How to Issue a SAN Certificate to Exchange Server Snap 16

On the Exchange Management Console, right the Certificate (remember the friendly name of cert)and click Complete Pending Request.

How to Issue a SAN Certificate to Exchange Server Snap 17

Click Browse and select the Cert file (file with .cer extension) that was provided by CA. Click Complete.

How to Issue a SAN Certificate to Exchange Server Snap 18

Click Finish to complete pending request.

How to Issue a SAN Certificate to Exchange Server Snap 19

Right on the Exchange Certificate and click Assign Services to Certificate.

How to Issue a SAN Certificate to Exchange Server Snap 20

On the Assign Services to Certificate page, Select the Exchange server and click Next.

How to Issue a SAN Certificate to Exchange Server Snap 21

Select Internet Information Services, Simple Mail Transfer Protocol. Click Next.

How to Issue a SAN Certificate to Exchange Server Snap 22

click Assign on the next page and click Finish to complete the wizard.

How to Issue a SAN Certificate to Exchange Server Snap 23

We see that we have successfully assigned the certificate to Exchange services, the certificate is not a self signed by generated by internal Certificate Authority.

How to Issue a SAN Certificate to Exchange Server Snap 24

Leave a Reply

Your email address will not be published. Required fields are marked *