prajwaldesai.co mhttp://prajwaldesai.com/how-to-issue-a-san-certificate-to-exchange-server-2010-from-a-private-certificate-authority/

How to Issue a SAN Certificate to Exchange Server 2010 froma Private Certificate Authority.

In this post we will see How to Issue a SAN Certif icate to Exchange Server 2010 from a PrivateCertif icate Authority. We know that Exchange server 2010 makes use of SSL certif icates in order tosecure network communications between the servers and clients. When you install Exchange Server2010, SSL is required f or many services both internally and externally. The Client Access Server role hasSSL enf orced f or services like Outlook Web App, Active Sync, Outlook anywhere etc. You can disable theSSL but why would one do that and allow communications over insecure HTTP connections.

When you install Exchange server 2010, a self -signed SSL certif icate is also installed by def ault. Thisself -signed certif icate will not be not be trusted by clients or any devices because its a self -signed cert.The SSL certif icates f or Exchange server can be purchsed f rom popular Cerif icate Authorit ies likeVerisign, Digicert, Comodo etc.

Note :- The SAN cert that we are going to issue to our exchange server(EXCHANGE.PRAJWAL.LOCAL) is a part of PRAJWAL.LOCAL Organization. The Certif icate Authority role has been installed on themachine where AD DS is installed(Domain Controller). You can save your money by assigning certif icatef rom a private Certif ication Authority f or lab purpose.

Firstly we will see how to generate new exchange 2010 certif icate. Click on Start , All Programs,Microsoft Exchange Server 2010, Exchange Management Console . Click on Server Configuration,under Exchange Certif icates right on the white space and select New Exchange Certif icate .

Provide a f riendly name f or the certif icate. Click Next.

Exchange server 2010 supports wildcard certif icate, but in this example we will use SAN Cert. Click Next.

We will conf igure the services one by one. For Outlook WebApp Service- provide the internal andexternal names. For Exchange Active Sync Service – Provide the domain name asexchange.prajwal.local. Scroll the right bar down.

Provide the external host name f or your organization, in my case its exchange.prajwal.local.

Under Hub Transport Server, Check the box “use mutual TLS to help secure internet mail“, set theFQDN of connector to exchange.prajwal.local. Click Next.

In the Certif icate Domains we see 2 entries, autodiscover.prajwal.local and exchange.prajwal.local.Click Next.

Fill out all the details which will be included in the cert. At the end click on Browse and save thecertif icate request f ile . The request f ile is saved with .req and can be viewed using Notepadapplication. Click Next.

Click Finish to close the Exchange cert wizard.

Open the .req f ile with Notepad. Select all the data and copy it.

On the exchange server, open the internet explorer, type the URLhttp://CertificateAuthorityServername/Certsrv. In my case the CA is 192.168.100.1 so the URL will behttp://192.168.100.1/certsrv.Enter the credentials and click OK.

Click on Request a Certif icate .

Select Submit an advanced certif icate request .

Since we have already copied the data f rom .req f ile, click on second link – Submit a certif icaterequest by using a base-64-encoded CMC or PKCS # 10 f ile .

Paste the content copied f rom .req f ile in the saved request box, Choose Web Server as Certif icateTemplate. click Submit.

Save the f ile to a location on your computer.

On the Exchange Management Console , right the Certif icate (remember the f riendly name of cert)andclick Complete Pending Request .

Click Browse and select the Cert f ile (f ile with .cer extension) that was provided by CA. Click Complete .

Click Finish to complete pending request.

Right on the Exchange Certif icate and click Assign Services to Certif icate.

On the Assign Services to Certif icate page, Select the Exchange server and click Next.

Select Internet Information Services, Simple Mail Transfer Protocol. Click Next.

click Assign on the next page and click Finish to complete the wizard.

We see that we have successf ully assigned the certif icate to Exchange services, the certif icate is not aself signed by generated by internal Certif icate Authority.