Saturday, 29 May 2010

Exchange Servers and Certificates

In a previous post I detailed how to configure Outlook Anywhere which relies on HTTPS. This must use a certificate infrastructure and this post I hope will instruct you on how to configure your CA, distribute the necessary Exchange certificate and how to configure Exchange and clients.

1. Install the Active Directory Certificate Services role on a member server or a domain controller. During installation of the service make sure that you choose an enterprise server.

2. Create a duplicate version 3 template of the web certificate. This version will allow you to create a certificate with multiple subject alternative names (a SAN certificate). Make sure that the CAS machine that is Internet facing is defined on the templates security tab (ACL).

3. Ensure that the template created is defined in the list of templates provided by your CA.

4. On the defined CAS, using an elevated MMC with added computer certificate, request a computer certificate from the CA.

5. During the request you can define multiple subject alternative names by adding different DNS names. The names I suggest are based on the following public ( and private (compulinx.local) DNS names.


6. As you can see from point 5, multiple DNS names are included. These represent both public and private names (where mail is public and ex1 represents your exchange server NetBIOS name). The same certificate can be used for internal and external clients. You can choose not to include the internal names for security (personally I wouldn’t worry considering that if a hacker can make an intrusion using a NetBIOS name then you might as well give them a domain account!). However, you should include an SRV record in your DNS where autodiscover _TCP port 443 maps to the CAS machine.

7. Once the CAS machine has any Exchange certificate check in the trusted root folder for the root CA certificate. Copy this certficate to any workgroup client that will make use of Outlook and Outlook Anywhere.

8. You will need to establish that Exchange uses the requested certificate. First, determine what certificates are on board by using the following command:

[PS] Get-ExchangeCertificate -DomainName EX1 | fl subject,thumbprint

You will most likely find 2 certificates in the list; the certificate just requested and an original certificate which is self signed. You can delete this from the MMC personal certificates snap-in. We need to enable the certificate for use with various Exchange services.

[PS] Get-ExchangeCertificate -Thumbprint abcdef  | Enable-ExchangeCertificate -Services "IIS,SMTP"

No comments:

Post a Comment