Zedan IT Blog
IT definitions, discussions and more
Certificates for Exchange 2010 using internal CA
If you need to install an internal certificate server to create certificates for Exchange 2010 , remember to add the SAN certificates support to the certificate server as it is needed by the exchange server and will solve the problem of disappearing certificates after importing it to Exchange 2010.
Install the Certificate Server. In Windows 2008 from Server Manager > Roles > Add New Role.
On the next Screen (Before you begin) click Next, then on the (Server Roles) screen, select “Active Directory Certificate Services”
Click Next, Next. On the “Select Role Services Screen”, Select “Certificate Authority” and “Certification Authority Web Enrollment”.
If your server doesn’t have IIS installed, it will tell you that it will install it for you. Click “Add Required Role Services”, Then click Next
On the Setup Type, select “Enterprise”, click Next
On the “Specify CA Type”, select “Root CA”, Click Next
On “Setup Private Key”, Select “Create a new private key”, Click Next
On “Configure Cryptography for CA”, leave the default options, Click Next
On “Configure CA Name”, Leave the defaults, Click Next
On the “Validity Period” screen, select how many years before the certificate is expired, or you can leave the defaults “5 Years”, Then Click Next
On the Certificate Database Location, leave the defaults, then click Next.
On IIS installation, Click Next
On the Roles screen, you can add more services in IIS or leave the defaults and click Next
On the “Confirmation Page”, Setup will warn you that the Domain name and setting can not be changed later after you install Certificate Authority. If you do not intend to change your Domain or Settings later, Click Install.
Setup will begin installation
When installation is completed, Click Close
Then you will need to add SAN certificates support to your Certificate Authority. SAN stands for (Subject Alternate names). So that the certificate can be for more than one server name, e.g. Mail.company.com, Exch.company.com, Exchange01, …….
To ADD SAN support, Open the Command Prompt, then paste the following command:
Certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2
Then Restart the Certificate Service by issuing the following two commands in the command prompt:
net stop certsvc
net start certsvc
==========================
Now go to your Exchange Server, Open the Management Console then from Server Configuration, Click on “New Exchange Certificate”
Enter A name for your Certificate, then click Next
Leave the ” Enable Wildcard Certificate ” un-checked, then click Next
Select the services that exchange will handle. This is to determine the names that will be added to the certificate
Then it will display the domain names that will be added to the certificate. In this example I assumes that the following names for the Exchange server:
Server Name: EXCHANGE01
Internet name: mail.company.com
Intranet name: Exchange01.company.com
You can add additional domain names as well by clicking on the green Plus sign (Add…). When finished, click Next.
Enter Organization and Location Data. Also Specify where the Certificate Request will be saved (Here in C:\)
Click Next, Then Click New
Exchange will start creating the Certificate Request
When Completed , Click Finish
Open CA web page using an Internet Browser, For Example http://Localhost/CertSrv if you are opening from the CA itself, Then click on ” Request a Certificate ” Link
Then Click on Advanced Certificate Request
Then Click on ” Submit a Certificate Request ”
Open the Certificate Request file you created in Exchange With Notepad (in our example here was C:\Cert1.req) Select all Text
Paste the text into the webpage, and select ” Web Server ” from th Certificate Template list, Then Click Submit.
Select Base 64 Encoded, then click on Download Certificate Chain. Save the certificate to your loacl Disk.
On The Exchange Server:
Click Start, type: MMC, Then press Enter
An Empty Console opens, From File Menu select: Add – Remove Snap-in
Add Certificates Snap-in, Select Computer Account Select Local Computer, then Click Finish, Then Click OK
Right-Click on the Certificate in the Trusted Root, Then Import the Created Certificate which we downloaded from the CA
From the Exchange Management Console, Click Server Configuration, the Exchange certificate we requested, then Click on Complete Pending Request
Select the Certificate we downloaded from the CA, then Click Complete
Right click on the Certificate, select Assign services to certificate
================================
Importing Certificates into Computers, For computers in your domain, follow these steps:
On your domain controller, start Group Policy Management Console (Start menu, type ” gpmc.msc “, Press Enter).
Either create a new group policy or use the Default Domain Policy to deploy it to every system.
Right-click the policy of your choice and select Edit… go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
Right-click Trusted Root Certification Authorities, and choose Import…
Use the import wizard browse over to your root certificate we have created earlier.
==================================
If have computers not members in the domain, you can import the certificates manually, for Windows 7:
Open Certificate Manager by clicking the Start button , type ” certmgr.msc ” into the Search box, and then pressing ENTER.
Trusted Root Certification Authorities > Right Click Certificates Folder, Select Import.
Import the Certificate we have created earlier.
=======================================
I hope I could gave you a brief idea on setting up internal CA to issue certificates for your Exchange server.
a
Why do you import it into the trusted root certificate store? It will be trusted anyway as the Domain CA root certificate should already be in there!
Thank you, very useful information. It helps me to install and configure cert for my MS exchange.
Thank you. Worked like a charm. Choosing “web server” as a template and “download certificate chain” were the pieces I was missing.
Pingback: Mail Server | Nkhuong90.wordpress.com
Super Efforts and even very nicely presented.
If anybody finds that the certificate disappears after completing the request it can probably be resolved by the following:
https://social.technet.microsoft.com/Forums/exchange/en-US/10fe7309-ed05-4604-9c9c-a949dd8d7bf7/complete-pending-request-not-visible-after-importing-cert-to-intermediate-certificate-authorities?forum=exchange2010
Gold! Every post should be laid out this nice.
Great Post!!! If you are using Windows 2008 R2. You must go into IIS, CertSRV, Authentication and disable Anonymous or else the advanced certificate request will not come up.