Friday, March 20, 2009

Self-signed Exchange 2007 Certificates

I won't be going into the details why this may or may not be best practice, or a good idea, or the other ups and downs of using self signed certificates to secure your communications between E2K7 and Outlook, OWA, ActiveSync and so on, but just in case you get into the same bind as myself recently, and have to create a new certificate either because the old one is about to expire or domain names changed, and can't remember how to, here it goes!

This requires a CertAuthority to be setup on your E2K7 CAS and E2K7 PowerShell installed.'

We begin by creating a certificate request. And because we most likely need the certificate to cover multiple names/aliases for our server, we use the following command:

New-ExchangeCertificate -DomainName, e2k7.domain.lan, autodiscover.domain.lan -FriendlyName "Exchange Hosting Certificate" -GenerateRequest:$True -Keysize 1024 -path c:\e2k7hosting.txt -privatekeyExportable:$true -subjectName "c=us, o=Organization Name,"

This will create a certificate request with the name e2k7hosting.txt in the root of C. Make sure you replace the -DomainName with the values appropriate for you, covering all the names that OWA, Outlook or ActiveSync might be using to connect to your server.

Now open this text file and copy the content of it to the clipboard. Once you have done that, open an internet browser and navigate to https://servername/certsrv which will open the web interface of your certification authority on the server where you can paste the previously copied certificate request and then download the certificate. Make sure you grab the .cer as well, in case you have mobile devices connecting via ActiveSync. It makes certificate install a breeze.

Next import the certificate into the default IIS site for your E2k7 server through the PowerShell once again by using the following command:

import-exchangecertificate -path c:\certificatename.p7b | enable-exchangecertificate -services iis

Check the IIS default site if the correct certificate is now listed as installed.

Distribute the .cer to your mobile clients and install.


1 comment:

  1. I completed the command above and no text file was created. It stoped at a ready prompt. What if any other suggestions or is it possible to do through IIS?