Sunday, 14 November 2010

How to Obtain an Exchange Certificate (SAN) from a 2008 StandAlone CA

This post will help you obtain a SAN certificate from a StandAlone CA (on Server 2008). You will need this for correct configuration of autodiscovery and outlookanywhere/availability service.

1. On your Exchange 2007 server (CAS), type the following cmdlet to make the necessary SAN certificate request which will be stored in the root of c:\. Notice the use of multiple names in the request.
    [PS] New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.txt -KeySize 2048 -SubjectName "c=UK, s=London, l=London, o=CompulinxTraining, ou=ExchangeServers," -DomainName, srv1.compulinxtraining.local, srv1, -PrivateKeyExportable:$True

    It should be noted that Exchange 2010 does NOT use the -path parameter as mentioned in step one. You will need to establish a variable. You could try the following:

    $Data=New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=UK, s=London, l=London, o=CompulinxTraining, ou=ExchangeServers," -DomainName, srv1.compulinxtraining.local, srv1, -PrivateKeyExportable:$True
    Set-Content -path "C:\req.req" -Value $Data
    2. Once you have generated the request, visit your CA by opening a browser and type http://TheCAName/certsrv. Select 'Request a Certificate' and then select 'Advanced Certificate Request'. Then select 'Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file'. Copy and paste the contents of the request (all of it... even the lines!) into the 'Saved Request field and 'Submit' the request to your CA.

    3. On the CA select 'Pending Request' and 'issue' the certificate. 

    4. Back on the Exchange Server, visit the home page again and check for the pending request. Save the the .cer file to a easy to find location on the server.

    5. Create an MMC and add your Local Computer Certificate snap-in. Under personal 'import' your saved certificate. Once imported you will probably find that if you open it that it will not be trusted. You will have to download the root CA and import it to the trusted root store on the Exchange Certificate.
    You may also find that the certificate has no private key. This will cause problems later on so you should repair the certificate by following these steps:

    >Open MMC and add the Certificate Snap-In for the Local Computer account.

    >Double-Click on the recently imported certificate. Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.

    >Select the Details tab.

    >Click on the Serial Number field and copy that string.Note: You may use CTRL+C, but not right-click and copy.

    >Open up a command prompt session. (cmd.exe aka DOS Prompt)

    >Type: certutil -repairstore my "SerialNumber" (SerialNumber is that which was copied down in step 4.)

    >After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC)

    >Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: "You have a private key that corresponds to this certificate."Note: In Windows Server 2008 there will be a golden key to the left of the certificate, so there is no need to double-click the certificate.

    Now that the Private Key is attached to the certificate, please proceed to enable Exchange Services via Enable Exchange Certificate (Courtesy of

    6. Now you need to enable your certificate and bind it to the correct exchange services. Type the following cmdlet:
    [PS] Get-ExchangeCertificate -Thumbprint ABCDEFetc. | Enable-ExchangeCertificate -Services IIS,SMTP

      1 comment:

      1. This post is very useful for those who are planning to get SAN certificate.This post shows all the neccessary step and gives the example to do the exact configuration.If you follow these steps you surely get SAN certificate.Grab this oppotunity.