Creating your own Exchange 2007 SSL certificates to publish OWA, Outlook Anywhere & Active Sync with ISA 2006

  1. On your Exchange CAS

    For Auto Discover

    New-ExchangeCertificate -GenerateRequest:$true -SubjectName "C=AU, O=Company, CN=autodiscover.externalname.com" -DomainName mail.externalname.com, autodiscover.externalname.com, exc2007.internalname.local, autodiscover.internalname.local -FriendlyName "Microsoft Exchange 2007" -Path c:\AutoDiscover_mailcert.req -privatekeyexportable:$true

    For OWA & Active Sync

    New-ExchangeCertificate -GenerateRequest:$true -SubjectName "C=AU, O=Company, CN=mail.externalname.com" -DomainName mail.externalname.com, autodiscover.externalname.com, exc2007.internalname.local, autodiscover.internalname.local -FriendlyName "Microsoft Exchange 2007" -Path c:\Mail_mailcert.req -privatekeyexportable:$true

    If you are purchasing a certificate, this certificate request file “c:\*****.csr” now needs to be sent to the correct Certificate authority so they can generate a certificate with it. You will need to request a Unified Communication Certificate. Once the certificate is back from the authority, skip to step 6.

    Output

    Thumbprint Services Subject

    ———- ——– ——-

    6DF761BA62BF50C12F0734BF40A11FEF619B911B ….. C=AU, O=Company, CN=mail…

  2. Go to your Certificate Authority server – https://CA/certsrv/ on your Exchange CAS
  3. Request a certificate, submit an advanced certificate request, Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  4. Open the _mailcert.req file from the first two steps one at a time in notepad. Copy and paste the contents into the box and select Web Server (Start with AutoDiscover_mailcert.req):

    SNAGIT
  5. Click Submit and Download Certificate, Base 64 encoded, and call it something like c:\autodiscover.cer
  6. Still on Exchange CAS, run the following in the Exchange Management Shell – Import-ExchangeCertificate -path c:\autodiscover.cer

    Output

    Thumbprint Services Subject
    ———- ——– ——-

    5FBE1CE1B31FD9C43E90D6133F85CF291D5A053E ….. CN=autodiscover.externalname.com, …

  7. Next, run the following command on the exchange CAS – Get-ExchangeCertificate -DomainName "autodiscover.externalname.com"

    Output

    Thumbprint Services Subject
    ———- ——– ——-

    5FBE1CE1B31FD9C43E90D6133F85CF291D5A053E IP… CN=autodiscover.externalname.com, …

  8. (You don’t need to do this when you create the AutoDiscover certificate, only the mail.externalname.com certificate). Confirm the thumb print is the same as Step 6, then run – Enable-ExchangeCertificate -thumbprint 5FBE1CE1B31FD9C43E90D6133F85CF291D5A053E -services "SMTP, IMAP, POP, IIS"
  9. Repeat these steps 2-9 for mail.externalname.com (OWA & Active Sync), including step 8.
  10. Open (local computer) Certificates in MMC on Exchange CAS, then in the personal certificates store, export the certificate you just created and export the private key. Right click on the certificate and choose export. SNAGIT
  11. Type in any password but don’t forget it, and save this somewhere which is accessible from your ISA 2006 Server, because you will need this to setup the listener.
  12. Open (local computer) Certificates in MMC on your ISA server, then in the personal certificates store import the certificate that you exported from step 11, you will need to enter the password.
  13. Then you should have a Valid certificate to use with ISA server.

Computers and Internet Uncategorized

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: