Wednesday, February 9, 2011

How to install a Certificate in Exchange 2007 CAS Server

Gooood night for all...
A commercial certificate is only needed if the Client Access server will service client requests from the Internet or to facilitate un-trusted cross-forest communication between Client Access servers.

1.Connect to the server via Remote Desktop and log on with an account that has local administrative access and has been delegated the Exchange Server Administrator role (or higher).

Note:
For more information about using the certificate tasks, see the Exchange 2007 Online Help topic Creating a Certificate or Certificate Request for TLS .
 
 Note:
If generating a certificate that will use Subject Alternative Names, be sure that the certificate’s principal name will be the one that the clients (for example, Outlook) will use to connect (for example, mail.contoso.com). In other words, do not list the Autodiscover namespace as the principal name in the certificate.

2. Generate the certificate request by using the following Exchange Management Shell command. The DomainName parameter includes the principal URL, Autodiscover FQDN, and the server FQDN. The FriendlyName parameter matches the principal URL that is used by Outlook Web Access and Outlook Anywhere.

New-ExchangeCertificate -GenerateRequest -SubjectName “c=US,o=MyCompany,cn=<Primary Namespace>.mycompany.com” -DomainName =<Primary Namespace>, <Secondary Namespace(s)>, <ServerName>, <ServerName>.domain.mycompany.com, <Location Code>NLB.mycompany.com -FriendlyName <Primary Regional Namespace>.webmail.mycompany.com -privatekeyexportable:$true -path c:\cert.txt

 Note:
An example of [Full Subject Path] is "c=US, o=Company, cn=CAS01.contoso.com".

Note: In Windows Vista, the Windows RPC/HTTP client-side component required that the Subject Name (Common Name) on the certificate match the “Certificate Principal Name” configured for the Outlook Anywhere connection in the Outlook profile. This behavior was changed in Windows Vista Service Pack 1 (SP1). Therefore, as a best practice, make sure that the Subject Name (Common Name) on the certificate match the “Certificate Principal Name” configured for the Outlook Anywhere connection. 

3. Submit the request file to the Certificate Authority (CA) and have the CA generate the certificate.
4. After receiving the certificate, import and enable the certificate by running the following Exchange Management Shell command where [services] can be POP, IMAP, IIS, or a combination:

Import-ExchangeCertificate -path c:\newcert.cer | Enable-ExchangeCertificate -services "IIS,IMAP,SMTP"
5. You will prompted to “Confirm; Overwrite existing default SMTP certificate”. Respond “L” for “No to all”

6. Require SSL on the default Web site, do the following:
  1.  Open Internet Information Services (IIS) Manager.
  2. Expand the Server Node object and the Sites node.
  3. Click the Default Web Site.
  4. In the middle pane, double-click SSL Settings.
  5. Verify Require secure channel (SSL) is enabled.
 Note:
If you require 128-bit encryption, also verify that Require 128-bit encryption is enabled.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.