Exchange 2007 & Exchange 2010 UC/SAN Certificate
Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer
Original Creation Date: May, 2009, Posted Aug, 2009 – Edited on various dates, latest edit on 11/2/09.
9/6/2009 – For syntax, and added SBS2008 SSL information on 9/6/2009 (as noted below with timestamp).
9/19/2009 – Added additional SBS SSL certificate link (as noted below by timestamp).
9/24/2009 – Added additional link (as noted below by timestamp).
9/30/0209 – Added an Exchange certificate how-to step by step (as noted below by timestamp).
10/14/2009 – Added info about adding a UC/SAN cert in Windows, added info about Exchange 2010, changed title to reflect Exchange 2010
This topic goes into understanding the differences between certificate requirements in Exchange 2007 than what you’re used to with previous Exchange versions.
Getting a certificate for Exchange 2007 is a little different than Exchange 2003 or a simple website. Exchange 2007 requires a UC/SAN (Unified Communications – Subject Alternative Name). This type of cert supports multiple names, which Exchange 2007 requires, especially to include support for Outlook 2007 Autodiscover record.
If asking about Exchange 2010, it was changed so all of this is GUI based. You can actually use the steps outlined in this blog since the commands are the same, or just use the GUI. There’s more on Exchange 2010 at Digicert in their step by step with screenshots. They even created a video how-to:
How to generate a CSR for Microsoft Exchange 2010
Exchange 2007 Single Name certificate (not using a UC/SAN certificate)
For SBS 2003 and SBS 2008 installations that decide to use a single name cert (just to get this out of the way before I get to the good stuff below)
Yes, this can be done, but it will not work for the autodiscover feature. If the internal domain name is the same as the external, it will work find internally. That is kind of an exception to the rule. I just did this for one client, and everything’s working fine, OWA, Outlook and Windows Mobile devices. Just follow the rules to create the cert, but only put one name in it.
However it is possible to use a single named SSL certificate, as was used in Exchange 2003 and basic web sites, however I’ve found with the UC/SAN cert that it accommodates Outlook 2007’s Outlook Anywhere and auto-connect features. You can read about using a single named, standard SSL certificate with SBS 2008 in the following links. Just keep in mind with SBS, you must use the wizards to set this up. If you have SBS, read the following, if not, please move on to the info below).
SeanDaniel.com – Small Business Server and Other Technology: Installing a GoDaddy Standard SSL Certificate on SBS 2008:
(Edit: The following link was added 9/19/09 12:19AM EST)
Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008
Edit: Added 9/30/09
Error messages when you try to synchronize a Windows Mobile 5.0-based mobile device to Exchange Server 2003 on a Windows SBS 2003-based computer
SBS 2008 – Introducing the Internet Address Management Wizard: Part 1 of 3
SBS 2008 – Introducing the Internet Address Management Wizard: Part 2 of 3
SBS 2008 – Introducing the Internet Address Management Wizard: Part 3 of 3 (has info about certs and autodiscover)
Windows Mobile Clients using ActiveSync
Before going further, if you are not sure if your Exchange 2007 installation is setup properly for outside clients, whether they would be Outlook 2003, Outlook 2007, or Mobile handhelds using ActiveSync, please visit the following Microsoft Exchange Connectivity Test site. It will provide a report on where things fail if there are any issuess:
Microsoft Exchange Server Remote Connectivity AnalyzerSelect the test you want to run.
ActiveSync & iPhones
Edit: Added 11/2/09
How To Set Up iPhone Exchange ActiveSync
If having difficulties, use the Exchange Server ActiveSync Web Administration Tool:
Microsoft Exchange Server ActiveSync Web Administration Tool
iPhone 3G won’t Sync with Exchange in Windows Small Business Server General:
The little known and dreaded UCC/SAN Certificate
The advantage and features of a UC/SAn cert is it allows you to create multiple names in the certificate. Note, this is not a wildcard certificate that will allow you to use any or an infinite number of names. Exchange 2007 does not work with such a certificate. It will, as mentioned, work with a single name certificate, if so desired to save money on the certificate prices, but I’ve found it beneficial to use a UC/SAN certificate for the multiple names that an Exchange server will use for clients.
The four main names I recommend adding to the cert when creating the request file are:
mail.company.com (the external FQDN name used to access OWA)
autodiscover.company.com (used for Outlook 2007 Outlook Anywhere’s autoconnect feature)
internalname.internaldomain.com (what Outlook Anywhere and DSProxy uses over RPC/HTTPS used to connect to Exchange)
internalname (the NetBIOS name of the Exchange 2007 server)
The internalname.internaldomain.com is what Outlook Anywhere and DSProxy uses over RPC/HTTPS that’s used to connect to Exchange 2007.
The autodiscover.company.com is used by Outlook 2007’s Outlook Anywhere autoconfiguration feature.
If you go to the following site, they offer complete instructions on how the request works along with a web-based tool to configure and create a certificate request command to be used in the Exchange Management Shell in Exchange 2007. I’ve found this feature very convenient.
DigiCert’s Exchange 2007 CSR Tool
Once it creates the command for you, you can use it to create the request in your Exchange 2007 server, then submit the request file to the certificate authority. You canfind a full step-by-step at the following link to a blog created by Simon Butler, aka Sembee, a Microsoft Exchange MVP. I highly recommend reading his article, in the following link.
Exchange 2007 and SSL Certificates – Take 2, by Simon Butler, aka Sembee, a Microsoft Exchange MVP, This is a complete step-by-step. Sembee provides instructions on how to use Digicert’s wizard to create the request file with the names that you’ve chosen and pre-created in DNS, that you will need to generate the request command you will need in order to run in your Exchange Managment Shell, (by copying and pasting it from Digicert’s wizard into the Exchange Management Shell). When you receive the response back from Digicert (the cert itself), save it to as a text file, then use the Import-ExchangeCertificate command to import it into Exchange. Complete step-by-step:
You can also use a third party GUI for PowerShell if you are not familiar or comfortable with PowerShell.
Welcome to PowerGUI.org – a free community for PowerGUI, a graphical user interface and script editor for Microsoft Windows PowerShell!
Note – I’ve been using DigiCert to purchase this type of certificate for my customers. However, keep in mind, I am not trying to push this company’s certificate on anyone. I’ve just found it easy to use, especially with the wizard and the step-by-steps at their site, as well as less expensive than other CAs (certificate authorities), which may have other stipulations and requirements when requesting a UC/SAN certificate. It also works very well with Windows Mobile 5 and 6 without problems. Please check the other companies, such as Verisign, Thwate, InstanSSL, etc, to compare.
How to add additional names to a SAN certificate in Windows
Creating “Wildcard” Certificate Requests for IIS using the Windows Vista/Server 2008 Certificates MMC plugin
UCC Certificates, IIS and GoDaddy.com
Things to consider choosing an internal AD DNS domain name if using Exchange 2007
Please keep in mind, your name, company name, etc, whatever name you put on the cert (based on the domain name), a WHOIS on your domain name must have this exact information at the domain registrar when you registered your public domain name. If the names of your company and Administrative Contact are not the same, or any Contact information, they will not issue the certificate. This is a strict requirement by the certificate authorities. You can call them if more specific info about this.
Be careful that the internal name, is a publicly registered name that may be regsitered to someone else. This means whatever name you;ve chosen for your internal AD DNS name, be aware of the TLD you’ve chosen. You do not want to choose one that is already in use by another entity. Reason is it will cause due confusion, and will create problems if you were to get an Exchange 2007 UC/SAN certificate and adding a name for the internal namespace on the certificate.
If you choose a TLD for the internal AD domain name, make sure it just doesn’t happen to belong to someone else. This of course, may have been unintentional. A good example is if you’ve chosen your internal AD DNS name to be ksi.net, (because the three letters are abbreviations for your companyname), and when you attempted to use that name with a UC/SAN request, the CA responds that they can’t match your name to ksi.net. You come to find that ksi.net is an actualy public name that was registered by someone in Korea. So now you can’t use that name for the internal AD domain name and can’t use the names, such as your exchangename.ksi.net. Therefore you are faced wtih an internal AD domain name rename task.
The point is, make sure your internal AD name is name is not registered by an actual entity other than you, or the CA will not approve it. In one sentence, please make sure never to use a internal domain with a suffix same as existing TLD (Top-level domain name such as com, net, edu, etc), unless you will register it as your own. One good example is if your external name is domain.com, register domain.net as well, and use that for the internal AD domain name. Whatever TLD you choose, make sure it does not exist as a current public name.
Technically speaking, you can also use the same name for the internal domain and the external domain. However, this method is not recommended. You may encounter following possible issues that you may have to perform a domain rename in the future. Not something that one desires to do.
Internal Domain Name naming guidelines summarized
1. If you name the internal domain the same as your Internet public domain name, in some time domain internal client will get the domain external IP (resolved from external domain name). In the scenarios that you also have published Exchange Server to receive external mails, the issue will be much more complicated. A sample issue:
Same Internal and External Domain Name
2. Worse, if your internal AD DNS domain name is registered by others, the certificate request will never get approved by the CA.
Guidelines for the Autodiscover record
In your public zone, create an ‘autodiscover’ record under the public domain name.
To alleviate errors with Outlook Anywhere, you can create a DNS Service Location (SRV) records to locate the Exchange Autodiscover service. If not, errors will generally happen when the SRV record for the domain for autodiscover is missing. In this issue that internal Outlook users receive the error, you may check whether the _autodiscover SRV record exists in the domain zone.
The record looks like:
TLDs (Top Level Domain Names) – Be careful what you choose for your internal AD DNS domain name
Generic top-level domains that you should be aware of when choosing an internal name. Just to be clear, if you choose any one of these as a TLD, I suggest to purchase the name at the registrar to avoid certificate issues.
biz .com .info .name .net .org .pro .aero .asia .cat .coop .edu
gov .int .jobs .mil .mobi .museum .tel .travel
Country-Code Top-Level Domains that you want to be careful choosing, especially if someone else owns it on the internet. You’ll never get the cert approved if it is owned by someone else, despite the argument that “it’s my internal domain name…”
ac .ad .ae .af .ag .ai .al .am .an .ao .aq .ar .as .at .au
aw .ax .az .ba .bb .bd .be .bf .bg .bh .bi .bj .bm .bn .bo
br .bs .bt .bw .by .bz .ca .cc .cd .cf .cg .ch .ci .ck .cl
cm .cn .co .cr .cu .cv .cx .cy .cz .de .dj .dk .dm .do .dz
ec .ee .eg .er .es .et .eu .fi .fj .fk .fm .fo .fr .ga .gd
ge .gf .gg .gh .gi .gl .gm .gn .gp .gq .gr .gs .gt .gu .gw
gy .hk .hm .hn .hr .ht .hu .id .ie .il .im .in .io .iq .ir
is .it .je .jm .jo .jp .ke .kg .kh .ki .km .kn .kp .kr .kw
ky .kz .la .lb .lc .li .lk .lr .ls .lt .lu .lv .ly .ma .mc
me .md .mg .mh .mk .ml .mm .mn .mo .mp .mq .mr .ms .mt .mu
mv .mw .mx .my .mz .na .nc .ne .nf .ng .ni .nl .no .np .nr
nu .nz .om .pa .pe .pf .pg .ph .pk .pl .pn .pr .ps .pt .pw
py .qa .re .ro .rs .ru .rw .sa .sb .sc .sd .se .sg .sh .si
sk .sl .sm .sn .sr .st .sv .sy .sz .tc .td .tf .tg .th .tj
tk .tl .tm .tn .to .tr .tt .tv .tw .tz .ua .ug .uk .us .uy
uz .va .vc .ve .vg .vi .vn .vu .wf .ws .ye .za .zm .zw
Related Links and how-to articles
A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007
Certificates for Exchange (This is a CA site that I haven’t used, but thought to provide it)
Unified Messaging Requires the Server Name in the SSL Certificate
Exchange 2007 with a Single Name SSL Certificate
More on SSL Certificates with Exchange 2007 – (supported uses)
Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: “The name of the security certificate is invalid or does not match the name of the site”
Outlook 2007 and Exchange 2007 Certificate issue
Exchange 2007 Autodiscover and Certificates:
Error messages when you try to synchronize a Windows Mobile 5.0-based mobile device to Exchange Server 2003 on a Windows SBS 2003-based computer
How to Configure SSL Certificates to Use Multiple Client Access Server Host Names
More on Exchange 2007 and certificates – with real world scenario
Certificate error with Outlook 2007 clients to Exchange 2007 server
Default Self-Signed certificate use and generation
Exchange 2007 certificate request and issue steps
Exchange 2007 Autodiscover and certificates
Exchange 2007 certificate generation command: New-ExchangeCertificate
Exchange 2007 Certificates How-To and Example
This little tutorial is based on using DigiCert’s wizard to help you request a cert. Not all CAs have such a wizard, but you can actually use their wizard to generate a request file that will be valid to use at any other CA.
First, go to DigiCert’s site to generate a request file and command. Digicert’s wizard will help at the following link:
DigiCert Exchange 2007 Certificate Request Wizard and
The following is an example that DigiCert’s wizard will create for you:
New-ExchangeCertificate -GenerateRequest -Path c:\mail_yourDomaname_com.csr -KeySize 2048 -SubjectName “c=US, s=DE, l=City, o=Company Name Inc, ou=Information Technology, cn=mail.yourDomainName.com” -DomainName mail.yourDomainName.com, autodiscover.yourDomainName.com, mail-mx-01.yourDomaname.local, mail-mx-01 -PrivateKeyExportable $True
Then once the command is run, it creates the certificate request c:\mail_yourDomaname_com.csr. Open this file with Notepad.
Copy and paste everything in the file, and paste it in the correct location following DigiCert’s instructions when filling out the forms.
Once submitted, along with credit card info, etc, DigiCert will validate the company name that is requesting the certificate is actually the company name that the public domain name is registered to. They use a WHOIS search to check.
You can use any one of the registrars’ WHOIS search feature to run it yourself. Run a WHOIS on your public name to insure that the name returned in the results matches the name of your company, including contact information.
If your domain info is completely hidden, you may have to unhide it for them to validate it. If most of it is hidden, including all email address contacts, except the company name, they will at least use the company name as part of the validation. However to complete the validation, they will send an email to one of the following: email@example.com, firstname.lastname@example.org, email@example.com or firstname.lastname@example.org. When you receive the email, simply agree to the terms, sign your name that you used in the request form, click submit. In about 10 minutes you will receive the actual certificate by email in a zip file.
Once you’ve received the cert, open the zip file, and copy the CSR file to the C: drive. Then run the import command:
Import-exchangecertificate –path c:\mail_trainwithksi_com.csr
[PS] C:\Windows\System32>Import-exchangecertificate -path c:\mail_yourDomainName_com.cer
Thumbprint Services Subject
———- ——– ——-
EF9CC2BD6546716ADA4AC744F8C30B65EC9C2D98 ….. CN=mail.yourDomainName.co…
Now you can enable the cert for other uses, such as IMAP, POP, UM, IIS, and SMTP. To enable it for OWA, using the IIS option will take care of that.
To run the command to enabled it for other services, you need the certificate thumbprint. To retrive the thumbprint:
You can combine the services into one command, once you have the correct thumbprint, with the following command:
[PS] C:\Windows\System32>Enable-exchangecertificate -services IIS, SMTP, IMAP, POP -thumbprint EF9CC2BD6546716ADA4AC744F8C30B6D4C9C2D98
Overwrite existing default SMTP certificate,
‘580C47D434EB3AEC0C6330037D1E77701313F654′ (expires 3/15/2010 1:17:43 AM), with
certificate ‘EF9CC2BD6546716ADA4AC744F8C30B6D4C9C2D98′ (expires 10/4/2010
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”):
Once that is run, you can confirm that the certificate is being used for the services you requested by the following command:
Thumbprint Services Subject
———- ——– ——-
EF9CC2BD6546716ADA4AC744F8C30B6D4C9C2D98 IP.WS CN=mail.yoruDomain.c…
580C47D434EB3AEC0C6330037D1E77701313F654 ….S CN=mail-mx-01
0459E4ADFFB68289325650740C009DB772D4E5FE ….S CN=mail-mx-01
B91E0E815163FF9E677E771225005CC2273FF886 ….. CN=WMSvc-mail-mx-01
Or you can simply connect to OWA externally using the FQDN. If it doesn’t prompt to trust the certificate, it worked.