20220509 ITWire 160x1200 may22 1

20220509 ITWire 160x1200 may22 1

20220509 ITWire 705x108 may22 1

Wednesday, 10 February 2010 23:20

Simple Exchange server certificate management


To give your Microsoft Exchange users the most flexible access options you really need an independent verified SSL certificate. Here's how to do it fast and efficiently with a minimum of fuss and confusion.

Microsoft's Exchange Server 2010 is now available and offers interesting new features like threaded e-mail, cloud storage options and more.

The Exchange development team do not offer any in-place upgrade from Exchange Server 2007 or previous versions. The option was dropped for Exchange2007 because, for the first time, it was available only as a 64-bit release. Microsoft thus opted to force a clean installation.

It seems that while this may have caused mild stress or inconvenience to Windows server admins the Exchange developers themselves felt it relieved such a burden by not having to ensure the many possible upgrade routes would work. As such they've brought this into Exchange 2010 too.

As such, there will be young admins out there installing Exchange server for the first time and will be confronted by the perennial problem of certifying authorities.

Exchange is no different from web servers, commerce servers and other products which perform sensitive online communications and transactions. It's essential that security and privacy is maintained, and that users can trust the server they're dealing with is trustworthy.

Here is where secure socket layer (SSL) certificates come in to play. Here is why and how to get one.

To use Exchange's 'Outlook Anywhere' (formerly known as RPC over HTTP) and secure OWA (Outlook Web App, formerly known as Outlook Web Access) you really need a third-party certificate from a trusted certifying authority.

Without such a certificate, or if you use a server self-generated certificate, your users will be prompted with confusing and concerning messages advising them the server may not be secure or may not be who it claims to be.

To buy a certificate you need to find a reputable seller. Digicert, Verisign, Thawte and others are well known and safe choices.

I've been using DigiCert because I find them straightforward to use with helpful explanatory processes. I have no relationship to DigiCert so you should find one you are comfortable with and compare prices. The instructions following ought to be largely similar irrespective of the certifying authority you use.

To begin, choose the certificate type you are interested in. The lowest price option generally includes one single name (eg mail.domain.com) but for maximum compatibility you will want a SAN certificate for Exchange Server, which DigiCert list under Unified Communications.

This is because your server has a number of identities. For one, it has a local, internal network, name, typically of the form server.domain.local. It also has the public-facing Internet fully qualified domain name (FQDN) of mail.domain.com and possibly others if you host other domains or use different aliases.

If you are using Outlook Anywhere you will also want to ensure your certificate includes autodiscover.domain.com, which also ought to be registered as a valid address in your DNS zone.

After choosing the type of certificate you will be asked to list the FQDNs you need to cater for. Be sure to include the variations above, namely mail.domain.com, server.domain.local, autodiscover.domain.com and any others.

Next, you will be asked to supply a certificate signing request, or CSR, which contains encoded information about your company, domain and server. The CSR comes from Exchange server itself.

DigiCert helpfully provides a tool to create the necessary PowerShell command for Exchange 2007 and Exchange 2010.

This command will be of the form
New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Houston, o=Company Name, cn=mail.domain.com " -DomainName server.domain.local, autodiscover.domain.com -PrivateKeyExportable $True
depending on the FQDNs you supply.

Open an Exchange shell window and paste this in. You will be greeted with a response that contains rows of coded text. Copy this by using the console window's Mark/Copy option. Paste it into your certificate provider's CSR entry box.

After submitting the CSR you need to wait. Any good certifier will perform tests to verify you have the authority to be ordering such a certificate. How this happens may vary but should generally include a request for confirmation addressed to the postmaster address of the domain in question, or to the authorised contact listed in its domain registration.

If all proceeds efficiently, you will receive a zip file contained your certificate file (a .cer file) by e-mail.
Users may double-click on this certificate to install it on their computers or it can be pushed out automatically via group policy.

Of course, having client computers accept the certificate is only part of the equation; your server must also issue it.

As well as distribute the certificate to your client computers, you must ensure it is loaded on to your server too, and enabled.

Again you can refer to instructions online for Exchange Server 2007 and Exchange Server 2010. Actually, the Exchange Server 2007 instructions are PowerShell commands which work for both 2007 and 2010 but 2010 also offers a GUI method.

The next time your users try to access your Exchange server from somewhere on the Internet, out of the office, they'll find it to be business as usual, with full continuity and no strange errors or disruptions.

For you, the admin, the only remaining task is to note one year ahead in your calendar so that you renew the certificate and ensure no downtime.

Read 7297 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News