Step by Step adding SSL certificate to Exchange Server and Windows Mobile devices

In this article I will show how you can get and install an SSL certificate on your Exchange Server and on Windows Mobile devices.

SSL certificates provide e-mail connection encryption beetwen the Exchange Server and Windows Mobile devices, protecting important and confidencial corporate data from unwanted access.

Some of my clients have been facing difficulties in choosing the correct certificate authority and in choosing whether they should use self signed certificates or certificates from third party CA’s.

While self signed certificates are free, you should consider these only in two possible circumstances: either for testing, or for providing internal services.

Third party certificates can be used in most cases, but especialLy if you or your company are providing for instance e-mail services to external clients.

 

STEP 1: Preparing the certificate request

Note: All of the following steps and operations must be performed using the administrator account.

 

Your first task is preparing the certificate request using Internet Information Services.

1- Open IIS and expand the tree until you find the “Default Site” or the site where you installed the Exchange Server services;

2- Right click on the “Default Site” and choose “Properties”;




3- Next you must go to the “Directory Security” tab and click on “Server Certificate”;



4- Now the request wizard should come up and you will choose the option “Create a new Certificate” and press “Next”;

5- On this screen choose “Prepare de request now, but send it later”;



6- Click “Next” again and write the name of the certificate (this name should be easy to identify);

7- Click “Next” again and enter your company name and department wich will help further on identifying  the certificate and its rightful owner and click “Next”;

8- This step is critical: here you must enter the valid DNS of your server. Remember you must have the DNS entries that go with the DNS name you are entering here otherwise your device will not sync.




9- Click “Next” and in this screen you must choose your location and country;

10- Finally you name your certificate request and save it in your hard drive and click, review the request information and click “Finish”

 

STEP TWO: Submit the certificate request to a Certification Authority

There are several CA’s availiable on the market nowadays, so you are free to try your own choices. I mainly use one or two companies which I learned to trust. One of them is Rapissl, that has a great certificate 30 day free trial you can test-drive for yourself.

Note: The following examples are based on their certificates, so if you use another CA some steps might be different.


1- Go to www.rapidssl.com and choose “Free SSL” / “Try before you buy” and afterwards click “Free Trial”.



2- Confirm the the selected FreeSSL product and click “Next”.

3- On this next window you should see a screen where you are asked to insert the certificate signature request. In the “Insert CSR”  you should paste the code generated by IIS when you first submitted the certificate request. Therefore you must browse to the location where you saved certificate request, which by default is named “certreq.txt”.

4- You must open the txt file and copy all of its contents to the RapidSSL form:


5- Once you submit this form, a confirmation e-mail is sent to the domain administrator, so its important that you have access to one of the e-mail accounts suggested. Tipically the administrator@domainname.domain.

6- One of the most interesting steps of this CA for verification of ownership and for security reasons is the fact that you must recieve an automated call in which you must provide a code that is generated on the rapissl site.

7- After this step a security e-mail is sent to verify the ownership of the domain, in which you or the domain admin must confirm to agree to the certificate creation.

8- If all validation and security steps are perfomed correctly you should recieve an e-mail containing the certificate. Some CA’s might send you a link to download the certificate or attach the certificate to the e-mail. Rapidssl in this service as opted to include the certificate on the body of the message, so you should simply copy the text and paste it onto a new text document using for example notepad. When you save the document you must specify the type of the document as  *.cer file type.


THIRD STEP: Importing and activating the certificate

Now that our certificate is in our hands we must apply it to the Exchange server. In order to do so, we must first import the certificate and then activate it in our system. There are two ways of doing this: one is using IIS, the other one implies the usage of cmdlets and Exchange Management Shell. I will show how to do this using the latter.

1- Fisrt you must open EMS: “Start, All Programs, Microsoft Exchange Server 2007″, choose “Exchange Management Shell”.



2- Once the command line is visible type the following:

Import-ExchangeCertificate -Path “c:\certnew.cer”

and:

Enable -ExchangeCertificate -Thumbprint [thumbprint] -Services:”SMTP,IIS”

In order to know the Thumbprint, you should double click on the certificate file and go to “Details” and then “Thumbnail”. Then you just copy thumbprint with a simple  CTRL+C and paste it on the command line.



If all goes well you should see something like this:



3- In order to check if all went well in the previous steps you can go to IIS and see if the certificate as been correctly installed and is now active fot the selected website.

Another way t check is by opening Internet Explorer and navigate to your domain. If all is well it will not open. So you must add an “s” to the url so that it reads “https:\\” this indicates you are accessing a website using a secure connection.




FOURTH STEP: Exporting the certificate

Now all we have to do is obtain and apply the certificate on the Windows Mobile device. So we must get a certificate that will work on Windows Mobile device:


1- Go to “Start”, “Run”, and write “mmc”.

2- On the new management console go to “File”, “Add/Remove Snap In…”.

3- On the Add Standalone Snap-in Windows choose “Add” and select “Certificates”.



4- Choose “Computer account” and click “Next”



5- Choose “Local Computer”, click “Finish” and then “Close” and “OK”.



6- On the certificate window browse to “Trusted Root Certification Authorities” and locate the certificate you installed.



7- Right-click on the certificate and choose “All tasks” and “Export…”
8- The Certificate Export Wizard should open. Now you must slect the type of certificate to create. Choose PKCS #7″ with the extension .P7B.
9- Do not forget to select the option: “include all certificates in ther certification path if possible”

10- Click next and save the certificate.






FIFTH STEP: Installing the certificate on the Windows Mobile device and configure EAS

We should now copy the exported certificate to the device, either by including it on a CAB installation file, sending it via e-mail or copying it to a storage card.


1- Once the certificate is on the device you must tap on it in order to install the certificate onto the device’s certificate library.



For Windows Mobile 6 and 6.1 certificate installation is quite simple and after taping the certificate you should see the confirmation box that it has beem installed successfully.




Our last task is configuring Activesync on the device to synchronize with our Exchange server:



You should have no problem sycing information with your server using a secure connection.


The process is very much the same for self signed certificates, with the exception that the CA should be in you organization and you must install Certification Authorities on one of your domain servers.

24 thoughts on “Step by Step adding SSL certificate to Exchange Server and Windows Mobile devices”

  1. You are quite welcome Mark.
    I hope to post some more findings and tutorials on Eschange pretty soon.

    Regards:
    Nuno

  2. I have a client with a Samsung i617 Windows Mobile 6.1 standard, not touchscreen. They use Exchange 2007 and a RapidSSL certificate. OWA works perfect from the desktop. I export the cert (I’ve tried all the formats) and move it to the phone. However, when I browse to the location where the SSL cert is on the phone, the option to install it is greyed out, there is no option at all to do anything with the cert. Any ideas?

  3. Hi Jason,

    What is the certificate’s extension?
    Have you tried tapping it from file explorer?
    On Windows Mobile 6.1 devices it should automaticaly get installed to the proper certificate store.

    Regards
    Nuno

  4. Great article. I have an HTC touch pro that kept puking at the cert from my ITS dept. They had exported it in .cer format. Followed your guide to export in a different format and it works now. Thanks!

  5. I have a Samsung Omnia i910 with Mobile 6.1. I have been syncing with exchange server 2003 since I got my device. Last week my server administrator updated our SSL certificate and my phone no longer syncs. How can I correct this?

  6. I have SSL require set on my IIS on my Exchange 2007 box, and i have the checkbox checked on my mobile device. I’ve installed the cert how you described however it still give me the error: The microsoft exchange server requires a personal certificate to log on.

    I do notice that in certificates there is intermediate and root certificates but no personal. Could there be an issue here?

    Thanks

  7. Great Article.I had tried everything but couldnot make my synch work.I was exporting the certificate in the binary format.I changed it as per your instruction and now it works beautifully.

    Thanks for an excellent tutorial.

  8. Thanks this worked, but had to export from personal certificates. Trusted only had major root vendors not my owa certificate.

  9. A problem:
    I have a self signed cert. But, my mail server, locally is “mail.xxxx.com”. However, externally, you approach it through “https://mail.xxxx.country code” . Now, if I enter .com as dns name of server in cert., all Outlook’s and outlook express’s work normally. But my HTC touch pro2 reports that mail server name is different to real mail server name and refuses to sync (cert. is imported). No wondering there, it cannot see .com. But if I enter “.county code”, phone works fine, but every time I run outlook or outlook express on the network, I get a warning that server name in cert. is different to real server name (which in this case is .com). Due to this I also get a lot of failure logins in event viewer. So how this is solved? Possibility to have two certificates, one for internal network, another for external devices? I tried entering two, but only one seems to be valid at a time.

  10. When i install the certificate it goes to my intermediate certificate directory. Is there any i can move that certificate to root or to personal ? I use Blackjaack2 with windowsmbl 6. thanks

  11. I have a HTC HD2 Windows 6.5 mobile.
    I have recently installed new exchange server certificate and it installed fine. However in the root the old certificate which expired is still there. This is causing problem during sync of my mails.

    Is there way to remove the certification installed in root of mobile device?

  12. Suresh

    Press the line and hold it for seconds, will give you an option to remove the certificate. I don’t know if you had tried this.

  13. Excellent post. I was checking continuously this blog and I’m impressed! Very useful information. I was looking for this kind of information from a very long time. Thank you and good luck.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>