How to use a internal Windows CA (Certificate Authority) in Windows 2012 with Exchange 2013

Keep up the good work…

Thanks for sharing the valuable knowledge

Hi,

I have a problem, that when I get to step 19 Choose Template : WebServer , I don’t have that option. I only have two options of, User or Basic EFS.

Thanks in advance

Brian

Hi Satheshwaran.

Great write up, i have followed your instruction but i am having problems with my internal outlook clients connecting to exchange i receive the following error message:

Cannot open your default e-mail folders. You must connect to Microsoft Exchange with the current profile before you can synchronize your folders with your Outlook data file (.ost)

i am able to connect and send email via OWA with out any issues. ive been working on resolving this issue for a week now and im not sure what else to try 🙁

Any help would vert be much appriciated.

Ajay Paul

Thanks a lot mate this was a very well presented and clear guide which did the trick!

Thanks for this post….also try to post Exchange 2013 Migration once it’s going to be live…

Hi,
Firstly, sorry for my stupid questions as below (I’ve not experienced it before):

My lab has 4 PCs:
+ PC1: Domain controller (Active directory) (ad.local.com)
+ PC2, PC3: installed Exchange 2007, Exchange 2010
+ PC4: Exchange 2013
Question 1:
After created certificate successfully at step #5. Following step #22, we will request certificate into PC1 (https://ad/certsrv) or into PC4 (https://ex2013.local.com/certsrv) ?

Question 2:
Do i need install this ceritficate (at step 22) for PC2, PC3 ?

Question 3:
For non-domain Outlook client PC (Outlook 2007/2010), I cannot create Outlook profile for Exchange 2013 users,
so do I also install the certificate applied in Exchange 2013 into non-domain PC following step #24 ?

Question 4:
My Exchange labs have used for internal network (intranet network), so for OWA-Autodiscover – Outlook anywhere…: could I configure InternalURl which is same as ExternalURl ? or I don’t need configure ExternalURl for all services in case I use them for intranet network ?

Thanks,
Hung.

Sorry for typing information which are not clearly.

This is the full:
————————————-
Hi,

after installed the certificate into non-domain client (step#24), open IE (in non-domain PC and into Exchange PC) and type:
https:///owa

The bar still displays “certificate error” ?
This is the information about my certificate:
at step #2, only choose
+ OWA (internet) and edit “FQDN of exchange”

I also use this exchange for intranet/internal network, so I need to request the certificates relating to “internal”, like
OWA (when accessed from intranet)
OAB (when accessed from the intranet)
……

And one more problem I met:
I cannot open the Outlook profile of Exchange 2013 into non-domain client but OWA is Ok
this is the warning when I try to open that profile:
“cannot open your default e-mail folder. Microsoft Exchange is not available. Either are network problem or the Exchange server is down for maintenance”

Could you give me some ideas to solve my problems, please ?

Thanks.

————————————-

Bhai,
Thanks a ton for putting it together so nicely.
Sadly,
Eversince i have added this certificate, I am getting blank screen on opening ECP/EAC/OWA.
Moreover, i can’t even open Mgmt Shell.
I’m screwed up.
–
Shakti

Thanks Manoharan,

Nice step by step instructions…very helpful.

I have managed to get through with exchange and Outlook configs.

Before I finalise some help on the below.

1. After changing the External and Internal URL in exchange do I need to create the Certificates again.
2.How do I configure DNS for Outlook anywhere.
3. Create public folders in Exchange 2013 and copy data from Exchange 2003 public folders.

Regards,
RR

Hi I wonder why we must to install the certificate (*.cer) for 2 times ?

1. When I installed certificate (step 24: install “Trusted Root Certification Authorities “), met an error as the picture below:

http://i.upanh.com/rikvru

or “http://nw8.upanh.com/b3.s36.d2/9af341981a5dc6f83675f2303f1b8a81_55340418.certificate.jpg”

I don’t know why ?

2. one more problem for other servers : I intend to install new certificate for Exchange version, but met a problem “canot find a web template in cert page”
http://i.upanh.com/rikvhi

Please help me to solve it.

Thanks,

Hello again satheshwaran,

ive followed this guide and it seems to be working, thanks. I’ve just got a few issues that need addressing, if you could help that would be greatly appreciated.

1. After creating the new certificate as explained by your self, can I now delete the default certificates (Microsoft Exchange, Microsoft Exchange Server Auth Certificate and WMSVC)? for some reason Microsoft Exchange Certificate still has the following services activated: IMAP,POP,IISSMTP and
Exchange Server Auth Certificate: SMTP

2. My outlook 2007 clients running on XP SP3 are prompted for login details every time they log on to outlook.

3. Outlook 2007 clients cannot share their calendars, error message : an error occurred when setting schedule permissions.

Any help would be appreciated

Thanks in advance
Ajay Paul

Dear Satheshwaran,

thank you for the nice post.
I have one question, can you tell us in more detail how to use it Externally?
since you say in the beginning you need to have a CNAME record in your public DNS pointing to your Public IP NAT to your CAS.

thank you for your help.

Best Regards.

THANK A LOT ; I does help!

Hi

I tried this – when setting up Outlook 2013 – I get a Cert error because its looking to to the root of the domain i.e. myddomain.com ( I didn’t request a Root cert!)

I see mydomain.com (along with Mail, owa & autodiscover) is also listed when I look at the cer

Do I need to change some settings when making the request ?
or can I change the imported cert properties ?

Dear Satheshwaran,
thanks a lot for this post, very helpful!
Follow this steps everything’s go right, but in my case at step 22 there si a little difference:
In your screenshot the file to import is “\\UNC\FOLDER\something.CER” in my case is “\\UNC\FOLDER\something.PFX” why?
Why don’t ask me a .cer file like your post?
Thanks
Regards

How to configure certificate based authentication in exchange 2013 , DC is win 2012 server.

Dear Satheshwaran,
Thanks a lot for this post, very helpful!
How to use a internal Windows CA (Certificate Authority) in Windows 2012 with Exchange 2013 with 2 CAS.
I do the same with CAS1 but I dont how to do with CAS2 with the same CA.

Dear Satheshwaran,

Does this solution also help in my case:

A question about the way my windows server 2012 resolves the internal and external addresses. Right now I have an intern domain: yyy.example.local, external domain: yyy.example.com. I have an exchange certificate for my external domain yyy.example.com and that is working fine for the exchange users. When the users approach exchange internally they receive an error because the certificate name doesn’t match the internal address which is logical.
My question is: How can I let my internal address redirect to my external address. So when users approach Exchange internal they will receive the right external address without any errors. I’ve tried the options below, but this does the opposite. It will link my external address to my internal.

1. create new forward NON-AD Zone on DNS server for the external name of the mail server that is on your cert: remote.yyy.org

2. go into the new zone, make a new A record, the name is blank and put IP as internal mail server.

3. Go into Exchange Admin GUI and go to server section – virtual directories – change the website to the external name: remote.yyy.org/xxx

4. you can not change autodiscover from GUI – open shell and put in: Get-ClientAccessServer | set-ClientAccessServer -AutoDiscoverServiceInternalUri remote.yyy.org/autodiscover/autodiscover.xml CONFIRM: Get-ClientAccessServer | ft name,AutoDiscoverServiceInternalUri

5. In server section of GUI, double click on server, go to outlook anywhere section, change both internal and external to what is on cert: remote.yyy.org

6. I made sure the PC I was testing on had the DNS settings of the server I added the new zone to

Can you please let me know?
Greetings

after completing, why the status of the new certificate is invalid?
help me please

Ok, so I managed to change the Autodiscover URL pointing it to the external URL, so Outlook will connect with the right certificate. If I delete and re-add the outlook profile, the certificate error won’t pop-up and everything works fine. My question now is: I am dealing wth 50+ users. Does this mean every single user has to delete his outlook account and re-add it? This is a big amount of work, not to mention the time Outlook needs to sync everything back again (over 50gb worth of data).

Is there a way to do this faster and more effective?

thnx

Hi Great Article, got it setup but still have the following using Outlook 2007

There is a problem with the proxy security certificate, the certificate is not from a trusted certifying authority.

But it should be trusted from the AD forest

Do I need to add my Exchange server hostname in my SSL certificate. For example if I enter https:\\exch01\ecp , will I get to the ecp even though it is not in my CSR SSL certificate? Any reason why I need to add my exchange server to the certificate request? What about just adding a hostname vs. the FQDN? Thanks.

I dont understand why you dont download and install the Root CA certificate into the users trusted root certificate authority instead of the one that you created. This will mean all future certs that you issue would automatically be trusted without having to install them

My cert don’t run on OWA 2013 SSL, in details I see a warning in Key Use “Digital Signature, Key Encipherment (a0)”. Pheraps the problem is this?

Hi, Thanks for your wonderfull article
I have a question, can I use the same certificate to send encrypted email via Outlook 2013 to other recipients out in the world (I mean People that we do Business with and are not joined in our Domain)?
If yes, could they decrypt the emails and it#s attachments?

Best Regards

Superb post..

Hi,

We have an internal CA for our internal servers like Exchange and Lync and it is showing it is going to expire under certificate in ECP. If we go to the CA server it shows it has three more years to expire under certificate details. Is there any default settings like, any certificates are valid only for two years and then we need to renew it?

this is great and helpful.
i have a question : Windows CA blocked my Exchange, before Installing CA my exchange was working fine, after installation i was not able to access EAC(Exchange Admin Center). can you please assist me how i can resolve this issue? because i uninstalled the CA but still not working please assist.

My AD is windows 2012 R2 and Exchange windows 2012 R2 which is memebr of my AD.

sorry my name is Etienne not Erienne

Thank you for this explanations. I have one question. I have an sbs2008 with exchange 2007. Can I move the CA without trouble to a 2012 DC with a different name and then create the certs for the new exchange? I need the old SBS for moving mailboxes and public folder.

What I want to know is why they never built in the option to query an internal ca directly for certificates and renewals without having to do the whole file thing. Like you can setting up rds..

My Exchange Server certificate when trying to complete it (changing from Pending) disappears from the exchange console and you cannot edit it.

The above procedure does not work

Great KB dear, Satheshwaran, i have a situation where customer have local domain name as domainname.local currently no CA (digicert) provider giving us names like .local or IP as SAN names, Kindly advise how i can handle this, currently users getting certificate error frequently. Can i build CA server and import certificate. and discard the external certificate which is from digicert.

Regards,
Jinu

Hi Satheshwaran Manoharan,
Thanks for sharing this with us, you just saved my day, Thanks a Million

hi all,
We have an internal CA server(Windows server 2012R2, Hash algorithm:SHA256) The certificate is work in IE but in Firefox and Google chrome is Not Secure. how can i resolve this problem?

Hi All
We have an internal CA server(Windows server 2012R2, Hash algorithm:SHA256) The certificate is work in IE but in Firefox and Google chrome is Not Secure. how can i resolve this problem?

it really help i was stuck in creating certificate for very long time this article simply solve my problem thanks for writing such a helping article.

Hello, I am faced with a problem with my wildcard certificate on Microsoft Exchange 2016. my main dns is a@xy.com and my exchange server joined to the this domain. I have also another dns which is a@az.com. and all emails sets on this domain, and I set a record, mx,… on this domain. few days ago, I purchased a wildcard ssl for my domain namely a@az.com, I install the SSL on my exchange server, but our clients are faced with the problem( The name on security certificate is invalid, or does not match the with the site), would you please help me to resolve my problem?

Hello Manoharan,

I want to know if the SSL is self signed by AD CA. Is the client end which those joined domain pc will auto trusted the SSL?

Regards,