Article Updated : Using a internal windows CA certificate with Exchange 2010
Using a Self Sign Certificate can Manage Owa alone, But Issuing a Internal Windows CA Certificate can serve all type of Clients
So will learn how to do it.
We can use a internal windows CA certificate with Exchange 2010 to avoid Cert Errors
Something which you need to know is , Using a Internal Windows CA Certificate you need to install the certificates on every machine you use and Mobile devices other wise you will end up in a certificate error in the IE
So that’s why people prefer going for a 3rd party certificate to overcome it.
In this article We Will Learn issuing a Internal Windows CA Certificate , for this to be used Externally you need to have a CNAME record in your public DNS pointing to your Public IP NAT to your CAS
First we will learn how to Export a Certificate request file from Exchange 2010 ,
Step 1:
Type a Friendly Name :
Wild Card is used if you are going to manage more URLs .For Example : *.Domain.com
Step 2:
Assign the required Services for your Exchange , Give a Tick Mark
You will opt for it if you are planning for Coexistence in OWA in Exchange 2003 and Exchange 2010
Step 3:
You will see the collection for URL’s
Step 4:
Fill out the Form – And set the location for the Cert Request file
Step 5:
Your request file would look like this
Open it via Notepad , because we need this content to generate a Certificate
Step 6:
You need to have this role installed to have a Certificate Authority , It can be DC or Exchange it self
I have done this in the Exchange itself (No Harm)
Step 7:
Choose : Certification authority , Certification Authority Web Enrollment
Step 8:
Choose Enterprise
Step 9:
Choose Root CA
Step 10:
Create a new Private key
Step 11:
Have this Default with 2048 key Character length
Step 12:
Click Next
Step 13:
By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next
Step 14:
Step 15:
Now if you Open IIS manager , you will see “CertSrv” a Virtual Directory Created ,
Use the right side column “Browse *.443(https)
Step 16:
You would see a page like this , Choose Request a Certificate
Step 17:
Click on Advanced Certificate Request
Step 18:
Choose the Second one
Submit a certificate request by using a base-64-Encoded CMC
Step 19:
Now Copy the Note pad –
Choose Template : WebServer
NOTE _ BELOW SCREEN SHOT _ CHOOSE TEMPLATE _ WEB SERVER
Step 20:
Choose “Base 64 encoded”
Step 21:
Save the Certificate
Step 22:
Now go to your EMC
Server Configuration – Complete Pending request
Choose the Certificate :
Step 23:
Now Assign Services to the Certificate
Now the Server Part is ready
Step 24:
Now will learn how to install the Certificate in the Client End
Double Click on the Certificate
Click Install Certificate – Click Next –
Choose Personal –
Click Next And Import will be Successful
Now Do the Same Process
Double Click on the Certificate
Click Install Certificate – Click Next – Choose Trusted Root Certification Authorities
Double Click on the Certificate
Click Install Certificate – Click Next – Choose Intermediate Certification Authorities
Step 25:
Before
After installing the Certificate in the Client
Great !!
Now you learnt how to Use a internal windows CA certificate with Exchange 2010
Regards
Satheshwaran Manoharan
I like this web site very much, Its a really nice situation to read and incur information.
Thanks Abdul
I like what you guys are up too. Such smart work and reporting! Keep up the excellent works guys I?¦ve incorporated you guys to my blogroll. I think it will improve the value of my site 🙂
I simply want to say I am just very new to blogging and honestly loved you’re web page. Very likely I’m going to bookmark your site . You amazingly have exceptional stories. Thanks for sharing your blog.
Thank you Mauricio
Wow that was unusual. I just wrote an really long comment but after I clicked submit my comment didn’t show up. Grrrr… well I’m not writing all that over again. Anyways, just wanted to say excellent blog!
You actually make it seem so easy together with your presentation but I find this topic to be really something that I feel I’d by no means understand. It seems too complicated and very huge for me. I am looking forward in your next put up, I’ll attempt to get the hold of it!
I have tried my best to make it . As simple Alva
If you feel you are confused at some point . let me know. will help you to proceed further.
Thank you
Good write-up, I’m regular visitor of one’s site, maintain up the nice operate, and It’s going to be a regular visitor for a long time.
Hi ,
It is a very good guide and I appreciate it. I followed your guide but still I receive certificate error on my client side. the only difference is my CA is on my primary DC. Can you help me!
What the is the Cert Error ?
Do we have Other Exchange Versions in the Environment ?
Hi,
It certainly is very comprehensive but unfortunately like Dinesh I also still get a certificate error. The error report is that “This certificate cannot be verified up to a trusted certification authority”. When I check using MMC certificate plug-in the certificate is definitely imported into both the trusted root authority, intermediate authority and personal stores – I have tried doing the import both at user and local computer level for these options. Any suggestions will be gratefully accepted – we really cannot afford to go and buy a UCC certificate for this installation?
Thanks,
Graham
Can you check the Cert ?
Issued to : “Webmail.Domain.com”
and the URL you browse “Webmail.domain.com/owa”
The above “Issued to”and the URL
webmail.domain.com
should be the same.
If it differs you will get the error
The certificate shows as issued to ‘mail..com’ , issued by –CA. The URL I am accessing is https://mail..com/owa i.e. the certificate ‘issued to’ domain and the URL are definitely the same.
Also if I try to connect using Outlook Anywhere (which is our real need) I get a message saying ‘the security certificate is not from a trusted certifying authority’, which is pretty much the same error.
Looking in the client certificate stores via MMC the certificate shows as Issued to mail..com, Issued By –CA, valid to 5 Nov 2014, Intended purposes ‘server authentication’, no friendly name and template ‘WebServer’. It is in the personal store, the trusted root CAs, the Intermediate CAs and I also, in desperation, added it to third-party Root CAs. Still doesn’t work
Where can I look next to get this going? I am happy to upload or mail the certificate for you to have a look at if you want me to, just don’t want to publish on the net for obvious reasons :).
Thanks,
Graham
The previous got a bit mangled : to be clear the certificate shows as issued to mail.{domain}.com by an authority {org}-{server}-CA . The URL being accessed is https://mail.{domain}.com/owa .
Thought I should also add that the clients on which I am installing the certificates are NOT members of the domain to which the server issuing them belongs. Is this perhaps of relevance?
Hi Graham
For Outlook Anywhere Self Sign Cert Won’t work. Its by design !!
1. My certificate still doesn’t work for OWA regardless of whether or not it should work for OA.
2. It isn’t a ‘self-signed’ certificate it is a certificate produced by an internal CA. The two are different things. The self-signed certificate is what we replace with the generated one in step 23 – you can see in your own image that the original ‘Microsoft Exchange’ cert is marked in column ‘Self-signed’ as ‘true’ and this locally generated ‘Exchange Cert’ one is ‘false’.
3. If it REALLY won’t work for OA (and I still believe it should) then a) what is the point of doing all this as all you gain is the ability to not have to ignore the certificate error to use OWA and b) you really need to make the article much more clear as to what this process is useful for.
Re: Outlook Anywhere and internal CA certificates:
“With regards to SSL certificate support and Outlook Anywhere, the certificate type that is not supported is the certificate that Exchange generates itself using new-exchangecertificate. A CA issued certificate (whether your own or a commercial) is supported.”
from
http://social.technet.microsoft.com/Forums/en-US/exchangesvrgenerallegacy/thread/4bd74114-d146-44ad-8594-c6b581fef1a1
In addition I have now exported the {org}-{server}-CA from the Trusted Root CA of the server and imported that to the Trusted Root CA of the (non-domain) client. Now OWA works as you describe, as there is a path to a trusted authority. For domain clients they may probably automatically trust the server as it is in the same domain.
The failure on OA has also changed – I am now now seeing an ‘untrusted certificate error’, just an issue with authentication. I will track that down and post the results.
Conclusions so far:
Both OA and OWA should work with a INTERNALLY GENERATED certificate. OWA works with self-signed, OA doesn’t.
The title of this article is wrong – it’s not about using a self-signed certificate but an internal CA one – and it’s a very comprehensive guide to that.
Final Update: all working now. The authentication issue appears to have been down to switching to Kernel mode authentication for the various exchange processes at some point.
So to summarise – this detailed guide works for both OWA and OA by using an internal CA certificate, with the proviso that for non-domain member PCs you need to import the issuing server’s CA certificate to the Trusted Root CA store, in addition to the Exchange certificate generated as described here.
Thanks Satheshwaran for creating this guide initially and for our exchange (pardon the pun!) regarding the differences between self-signed and internal CA generated certificates. I hope the clarification will be of value to all readers of this blog.
Regards,
Graham
You are most welcome !!
Hi Graham,
Have Emailed you on this !
Issued by Windows CA will work with Outlook anywhere
But not a Self Sign Cert
Thank you !
Hi there, I found your web site via Google at the same time as searching for a related subject, your site came up, it looks great. I’ve bookmarked it in my google bookmarks.
You are very helpfull. Keep doing the good work. It inspires the junior admis like me.
Sure I Will Mohammed. Thank you for your Comments
Asking questions are in fact good thing if you are not understanding something completely, except this article provides good understanding even.
Thank Man !
Hi Satheshwaran,
Thank you for sharing the knowledge. I was looking for such informative articles. I am trying all sorts of tests to master the Exchange Server domain in my lab environment.
Once again Thankx bro!
Thank you for your comments Jaison !
You are always welcome !
On step:3 You have domain mail.careexchange.in but the OWA url doesn’t point to the same address. Rather then it’s the FQDN of your exchange server, which is not correct.
You should be able to login to OWA using https://mail.careexchange.in/owa
On step:3 You have domain mail.careexchange.in but the OWA url doesn’t point to the same address. Rather then it’s the FQDN of your exchange server, which is not correct.
Aren’t you able to login to https://mail.careexchange.in/owa or you just mentioning the server fqdn?
You should be able to login to OWA using https://mail.careexchange.in/owa
Hi Gulab,
I Understand. But the internal URL of my server is the FQDN of my Server. WHere the Cert has both the entries.
So both should work right ?
This unique material you presents in this article is a top-notch and great matter. Captivating strategy and also structure in composition. Keep writing this kind of useful details.
Thank you !
My cert is working on Server but l got an error on client PC….. i have also install to Personal,Trusted Root Certification Authorities,Intermediate Certification Authorities…………………..but still got an error with internet explorer 9. kindly guide me.
Same the Issue facing like Graham…………………email me
Use MMC and trying importing the Cert and let me know what happens
I have done these steps several times, yet now my exchange does not work anymore. Clients can’t connect with web or outlook. So maybe article is helpful but in my case it set me back to the dark ages.
if you have had a Self Signed Cert already. After doing these steps. You have place the new cert in all your devicies.
That’s the only situation where connected devices goes disconnected. and That’s the disadvantage of a self signed Cert
Thanks for quick reply.
But certificate does not even show on Exchange or in certificates. I confirmed that I do not have that thumbprint anywhere
So how can I revert back..make a normal self signed certificate and leave things as they were
Go to an old client , Check what cert you had in the past. If you are using the same CA. Try using the same Cert. make sure its not expired
This is simply superb. . . I love this site 🙂
Thank you for you comments vijay
Thanks on your marvelous posting! I actually enjoyed reading it, you might be a
great author. I will always bookmark your blog and will come back in the foreseeable
future. I want to encourage you continue your great writing, have a nice holiday weekend!
Thank you for your comments Jacklyn
Thanks a lot !!!
Welcome Kimi
Hi Satheesh,
First of all great blog! Congrats for that.
I’ve a query. My self signed Cert for Ex2k10 got expired & I’ve renewed it using the cmdlet
Get-ExchangeCertificate -thumbprint “9XXXXXX” | New-ExchangeCertificate
& removed the expired Certficate.
However I dint’ do it through Internal CA which we already have in place.
Now, I had to install the cert manually on all clients. I tried to renew the Cert again from EMC> Server config , but since the cert is already renewed and valid am unable to make a cert request out of that.
Is there any way so that I can renew a valid certificate or do I have to create a new certificate request in order to create a different certificate through internal CA? please advise.
Thanks and Regards,
Nitbinz
Import the Certificate Directly and Assign the Services to the Imported Certificate
I did it and the certificate is already in place. However, since I couldn’t make it with an Internal CA, unable to put the same in Trusted Root Certificates via Group policy in Client Computers.
Now I’m installing it manually in client PC’s when I get cert error.
Is there anyway so that I can put the cert in Client PC’s Trusted Root certificates via GPO.
Regards,
Nitbinz
Excellent Bro..! Pretty much awesome site.. 🙂
Thanks Jay
really good
Hi Satheshwaran,
I hope I had seen this earlier. What a clear step-by-step
migration guide from Exchange 2003 to 2010.
I have a question related to generating the CSR code for a new Exchange Certificate.
Let’s say in a migration process (one Exchange2003 and one Exchange2010 scenario) your “Domain name you use to access Outlook Web App internally” in the Client Access server configuration section is servername.child.domain.com while your OWA on the internet is mail.domain.com.
1-What should I put for “Hub Transport server” (Use mutual TLS to help secure Internet mail) FQDN of your connector? I put “mail.domain.com”
I am asking this because by default if I were to ckeck “Use Hub Transport server for POP/IMAP client submission, the FQDN of the connector turns out to be auto filled as “child.domain.com,domain.com”. Is it how it is also supposed to be for the “Hub Transport server” (Use mutual TLS to help secure Internet mail) FQDN of your connector?
2-Even though I used the following while generating the code (with DigiCert):
a- Outlook Web App as “mail.domain.com”
b-ActiveSyn as “mail.domain.com”
c-Autodiscover as “autodiscover.domain.com”
d-legacy as “legacy.motovan.com”
and the names on the certificate are:
http://www.domain.com
mail.domain.com
autodiscover.domain.com
domain.com
Note: The server FQDN (servername.child.domain.com) and child.domain.com were not included on the cert.
the “security alert” windows still managed to pop for some internal users. I am pretty confused why is some people only receiving it and not everyone. However, when I tried to load my own outlook profile to a new VM, then I receive the same “security alert” warning which I never received after the certificate was installed from my original PC, puting a red cross at ” The name on the security certificate is invalid or does not match the name of the site” referring to servername.child.domain.com.
DigiCert wants me to add the FQDN of the server to resolve the issue, is there any other alternative since I left the FQDN of the server out intentionally.
3- Should “child.domain.com” also be included on the certificate.
4-Am I missing DNS entries or extra configurations must be done in IIS?
I am just pretty confused about this. Can you please clarify this for me?
Thanks in advance for this great site.
Very well documented step by step instructions and hugely useful, Thank You.
Wonderful…. everything described very well….. very appreciable.. Thanks
Thank you for your Comments Asif
Awesome issues here. I’m very happy to look your article. Thank you so much and I am having a look forward to contact you.
Will you please drop me a e-mail?
Hi Satheshwaran
How can I configure back the self-signed certificate on my exchange server 2010 if something goes wrong with windows internal CA certificate configuration you described.
thanks in advance
You have to re do the same process. Create req . Get cert. apply again. Until that users will face cert error.
Another advantage is the safety feature. Quite a few solo mess
devices may, even so, be taken meant for combining.
If you are seeking for the best ways to find biodegradable plastic extruders to get custom products for
your company, contact Hall manufacturing.
I do not even know how I ended up right here, however I thought this post was once good.
I don’t recognize who you are but definitely you are going to a famous blogger if you happen to aren’t already.
Cheers!
This piece of writing provides clear idea for the new
people of blogging, that really how to do blogging and site-building.