This is the second part of the blog entry Exchange 2010 EMC and Certificate Management Part – 1 in the previous post I wrote about creating a certificate request and the limitations of the new certificate request wizard. In this part we will be looking at obtaining a new certificate and then installing it on the server.
To complete installing a new certificate on your Exchange Server 2010 server you first need to obtain a certificate from CA within your organization or from a third party CA. As stated in last post the New certificate wizard generates a request in a .req file.
1. To obtain a certificate from a third party CA or your internal CA, your first need to copy the contents of the .req file and paste it to the web console of your certification authority. For my internal Enterprise CA the picture looked like below. Please see carefully that the Certificate Template used for this certificate request is Web Server.
2. Once you are done with above interface by pasting the contents of .req file and choosing a correct template you will be presented with another page in your browser to download the certificate. This interface may vary depending upon the configuration of your CA. You may need to wait till the certificate is approved and issued by CA administrator if configured so. You can now download the certificate in DER encoded format or Base 64 encoded format and save it to some location on your desktop or server. You will also need to download the whole certificate chain if the issuing authority is not a trusted CA by your server.
3. Now, as you have downloaded the certificate to the server. You will need to complete the pending certificate request in your EMC. Select the complete pending request by right clicking on the pending certificate request in EMC.
4. A new interface asking you the path to the certificate will pop up. This wizards will ask the location for newly downloaded certificate. Click on the Browse button, select the newly downloaded .cer file and click on complete button.
5. You may recall, Exchange 2007 to have the imported certificate to be enabled before it can be used actually used exchange services. E14 is not an exception to it but you don’t need to use Enable-ExchangeCertificate this time. You can do it using GUI easily. Now that you know, you have a new certificate imported correctly. You need to assign it to the services those will be using it.
Again, locate the new imported certificate in EMC and right click on it. Select Assign Services to Certificate… from the context menu.
One quick difference you may notice between the step 3 and now. That is the certificate status. It changes from Pending to Valid and icon in front of the certificate gets blue colored check mark on it.
6. Assign Services to Certificate… will list the services on a window those will be assigned to use this certificate. Select the services you want to use this certificate with and click on Assign button. In my case I did not have the UM role installed on the server so the Unified Messaging check box is grayed out.
7. You may notice a pop up asking your consent to assign this certificate to SMTP service on the server as the default certificate will be replaced if you have selected Simple Mail Transport Protocol to use the new certificate in step 6. Click Yes and your default self signed certificate created and assigned to SMTP during server install will be replaced with new one.
Click Finish in the wizard and you are done.
In some cases you may end up with a warning message; warning you that this certificate will not be used for TLS connections. Something like below:
Here you need to really understand the configurations you choose at the time of new certificate request. If you want to use this new certificate for a connector which provides a TLS connections, you will have to mention that during the New Certificate Request Wizard.
Few things to note:
- You must make sure that you have chosen the option to use new certificate for TLS connections during the request generation.
- You must have the root CA and the entire certificate chain installed your Exchange Server as well as clients if you are using your internal CA for new request processing. Outlook as well as Outlook Anywhere and other web based services may be affected otherwise.
- You must back up the certificate as soon as it is enabled on the server. I will write about it in Part-3 of this series.
- I recommend backing up and removing any old certificate from the server as soon as the new certificate is active and fully functional.