Install Self Signed Exchange 2010 SSL certificate

For my example, my domains are…

Local domain: vcp.local
Outside domain: vcpdomain.com.au

#NETBIOS name of Client Access exchange server:        vcpsydex01
#Internal FQDN (AD name):        vcpsydex01.vcp.local
#External FQDN (Public name):        smtp.vcdomain.com.au
#Autodiscover name:            autodiscover.vcdomain.com.au
#SubjectName:                cn=smtp.vcdomain.com.au

Run the following command on the Client Access Server for generating the new Self-Signed SSL cert using the names listed above:

New-ExchangeCertificate -FriendlyName "SelfSigned Cert" -SubjectName "cn=smtp.vcdomain.com.au" -DomainName vcpsydex01,vcpsydex01.vcp.local,smtp.vcdomain.com.au,autodiscover.vcdomain.com.au -PrivateKeyExportable $True

Prior to Windows Vista SP1, the Windows RPC/HTTP client-side component required that the Subject Name (aka Common Name) on the certificate match the "Certificate Principal Name" configured for the Outlook Anywhere connection in the Outlook profile. Therefore, as a best practice, you should ensure that smtp.vcdomain.com.au is listed as the Subject Name in your certificate unless you plan on changing the configuration which can be achieved by using the Set-OutlookProvider cmdlet with the -EXPR parameter as described in http://msexchangeteam.com/archive/2008/09/29/449921.aspx.

Open IIS on the Exchange Server and tell it to use this certificate.

  1. Click on the Default Web Site SNAG-0093
  2. Click Bindings on the right SNAG-0094
  3. Select HTTPS, and choose edit SNAG-0095
  4. Under SSL certificate, click the drop down list and choose your certificate that you created earlier. SNAG-0096
  5. You need to setup the following external DNS entries 1. smtp.vcdomain.com.au 2. autodiscover.vcdomain.com.au, these need to point to the external IP address of your Exchange CAS server.

    The next few steps are to install the certificate to the Clients.

  6. From Internet Explorer, navigate to the website of your OWA, https://mail.vcdomain.com/owa Click on Certificate Error, then click View certificates. SNAG-0097
  7. Click Install Certificate SNAG-0098
  8. Click Next SNAG-0099
  9. Select the second option SNAG-0101
  10. Select the box Show Physical Stores, Under Trusted Root Certification Authorities, select Registry and click OK

    Please note, you will need to repeat this step again and choose Local Computer.

    SNAG-0102 SNAG-0103
  11. Click Finish SNAG-0105
  12. Select Yes. Close and re-open Internet Explorer. SNAG-0106
  13. Close and restart Internet Explorer.

For more information, please refer to http://msexchangeteam.com/archive/2007/07/02/445698.aspx

Computers and Internet Uncategorized

4 Comments Leave a comment

  1. Almost all of these steps are unnecessary. You should stay in Powershell after you import the certificate and simply use the enable-exchangecertificate command.

    • Agreed. You need to handle SSL certs for Exchange via Exchange – that is, the Exchange Management Shell or Console. There are a lot of virtual directories and other protocols (POP3, IMAP4, Opportunistic TLS for SMTP, etc.) that IIS knows nothing about. I’ve seen this approach cause problems down the road.

  2. Thanks for this. Everyone else’s guides make it imposibly complicated without a technical knowledge of Exchange but your guide was a dream to use after I screwed up the initial certificate. Much apreciated. Alex.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: