In this article I will show how you can get and install an SSL certificate on your Exchange Server and on Windows Mobile devices.
SSL certificates provide e-mail connection encryption beetwen the Exchange Server and Windows Mobile devices, protecting important and confidencial corporate data from unwanted access.
Some of my clients have been facing difficulties in choosing the correct certificate authority and in choosing whether they should use self signed certificates or certificates from third party CA’s.
While self signed certificates are free, you should consider these only in two possible circumstances: either for testing, or for providing internal services.
Third party certificates can be used in most cases, but especialLy if you or your company are providing for instance e-mail services to external clients.
STEP 1: Preparing the certificate request
Note: All of the following steps and operations must be performed using the administrator account.
Your first task is preparing the certificate request using Internet Information Services.
1- Open IIS and expand the tree until you find the “Default Site” or the site where you installed the Exchange Server services;
2- Right click on the “Default Site” and choose “Properties”;
3- Next you must go to the “Directory Security” tab and click on “Server Certificate”;
4- Now the request wizard should come up and you will choose the option “Create a new Certificate” and press “Next”;
5- On this screen choose “Prepare de request now, but send it later”;
6- Click “Next” again and write the name of the certificate (this name should be easy to identify);
7- Click “Next” again and enter your company name and department wich will help further on identifying the certificate and its rightful owner and click “Next”;
8- This step is critical: here you must enter the valid DNS of your server. Remember you must have the DNS entries that go with the DNS name you are entering here otherwise your device will not sync.
9- Click “Next” and in this screen you must choose your location and country;
10- Finally you name your certificate request and save it in your hard drive and click, review the request information and click “Finish”
STEP TWO: Submit the certificate request to a Certification Authority
There are several CA’s availiable on the market nowadays, so you are free to try your own choices. I mainly use one or two companies which I learned to trust. One of them is Rapissl, that has a great certificate 30 day free trial you can test-drive for yourself.
Note: The following examples are based on their certificates, so if you use another CA some steps might be different.
1- Go to www.rapidssl.com and choose “Free SSL” / “Try before you buy” and afterwards click “Free Trial”.
2- Confirm the the selected FreeSSL product and click “Next”.
3- On this next window you should see a screen where you are asked to insert the certificate signature request. In the “Insert CSR” you should paste the code generated by IIS when you first submitted the certificate request. Therefore you must browse to the location where you saved certificate request, which by default is named “certreq.txt”.4- You must open the txt file and copy all of its contents to the RapidSSL form:
5- Once you submit this form, a confirmation e-mail is sent to the domain administrator, so its important that you have access to one of the e-mail accounts suggested. Tipically the email@example.com.
6- One of the most interesting steps of this CA for verification of ownership and for security reasons is the fact that you must recieve an automated call in which you must provide a code that is generated on the rapissl site.
7- After this step a security e-mail is sent to verify the ownership of the domain, in which you or the domain admin must confirm to agree to the certificate creation.
8- If all validation and security steps are perfomed correctly you should recieve an e-mail containing the certificate. Some CA’s might send you a link to download the certificate or attach the certificate to the e-mail. Rapidssl in this service as opted to include the certificate on the body of the message, so you should simply copy the text and paste it onto a new text document using for example notepad. When you save the document you must specify the type of the document as *.cer file type.
THIRD STEP: Importing and activating the certificate
Now that our certificate is in our hands we must apply it to the Exchange server. In order to do so, we must first import the certificate and then activate it in our system. There are two ways of doing this: one is using IIS, the other one implies the usage of cmdlets and Exchange Management Shell. I will show how to do this using the latter.
1- Fisrt you must open EMS: “Start, All Programs, Microsoft Exchange Server 2007”, choose “Exchange Management Shell”.
2- Once the command line is visible type the following:
Import-ExchangeCertificate -Path “c:\certnew.cer”
Enable -ExchangeCertificate -Thumbprint [thumbprint] -Services:”SMTP,IIS”
In order to know the Thumbprint, you should double click on the certificate file and go to “Details” and then “Thumbnail”. Then you just copy thumbprint with a simple CTRL+C and paste it on the command line.
If all goes well you should see something like this:
3- In order to check if all went well in the previous steps you can go to IIS and see if the certificate as been correctly installed and is now active fot the selected website.
Another way t check is by opening Internet Explorer and navigate to your domain. If all is well it will not open. So you must add an “s” to the url so that it reads “https:\\” this indicates you are accessing a website using a secure connection.
FOURTH STEP: Exporting the certificate
Now all we have to do is obtain and apply the certificate on the Windows Mobile device. So we must get a certificate that will work on Windows Mobile device:
1- Go to “Start”, “Run”, and write “mmc”.
2- On the new management console go to “File”, “Add/Remove Snap In…”.
3- On the Add Standalone Snap-in Windows choose “Add” and select “Certificates”.
4- Choose “Computer account” and click “Next”
5- Choose “Local Computer”, click “Finish” and then “Close” and “OK”.
6- On the certificate window browse to “Trusted Root Certification Authorities” and locate the certificate you installed.
7- Right-click on the certificate and choose “All tasks” and “Export…”
8- The Certificate Export Wizard should open. Now you must slect the type of certificate to create. Choose PKCS #7″ with the extension .P7B.
9- Do not forget to select the option: “include all certificates in ther certification path if possible”
10- Click next and save the certificate.
FIFTH STEP: Installing the certificate on the Windows Mobile device and configure EAS
We should now copy the exported certificate to the device, either by including it on a CAB installation file, sending it via e-mail or copying it to a storage card.
1- Once the certificate is on the device you must tap on it in order to install the certificate onto the device’s certificate library.
For Windows Mobile 6 and 6.1 certificate installation is quite simple and after taping the certificate you should see the confirmation box that it has beem installed successfully.
Our last task is configuring Activesync on the device to synchronize with our Exchange server:
You should have no problem sycing information with your server using a secure connection.
The process is very much the same for self signed certificates, with the exception that the CA should be in you organization and you must install Certification Authorities on one of your domain servers.