Exchange 2007 is designed to be used with Unified Communications (also referred to as SAN (subject alternative name) or multiple domain certificate). This is different to a wild card certificate as it allows different domains to be used in the same certificate, such as example.com and example.co.uk.
A version of this article originally appeared on our director's blog.
September 2012: This information has changed significantly from the advice that has been given out since early 2007 with the release of Exchange 2007.
This is because the SSL vendors consortium has decided to stop issuing SSL certificates that expire after November 2015 to non FQDNs (eg server), non public host names (eg server.example.local) and to private IP addresses.
Therefore the names that you need to include are reduced.
Note: Our screenshots may still include the old naming convention until they can be updated.
However because of the way that SSL certificates are managed, this has caused some confusion for Exchange administrators, particularly those that have come from Exchange 2003, where it is simply done through IIS. In Exchange 2007, SSL is integrated in to the product.
When Exchange 2007 is installed, it will install a self signed certificate. This should be considered a place holder for a commercial trusted certificate. The self signed certificate that is installed is not supported for use with either Outlook Anywhere or Exchange ActiveSync.
Throughout this article the following domains are used as examples:
However if your public and internal domain name are one and the same, then this isn't a problem, it just means one less name on the certificate.
Read through this entire article before starting the process. It covers the steps required in some depth, along with a complete list of what to do in which order.
The first thing to consider is what URLs to use. This has caused some confusion for Exchange administrators in the past.
The most straight forward scheme is to use the same names for as many services as possible. This reduces the confusion for the end users and limits the number of names you have to put in to the certificate.
Therefore you have four names:
If you are installing the certificate on an SBS 2008 system, then you should also include the host name "sites". Full instructions on setting up a commercial SSL certificate are here.
Names You do NOT have to include
Once you have decided on the URLs to use, you need to configure DNS.
All of the external URLs (anything ending in example.com) will need to resolve internally as well. This allows the URls to work both internally and externally, but without any complex firewall changes to allow the external IP address to work internally.
The usual way to ensure the URLs resolve correctly is to configure a split DNS system.
The certificate request is an Exchange Management Shell (EMS) command and can therefore be very complex to configure and get correct. However Digicert have created a web page that will create the command for you, which can be found here. Create the command and then copy and paste it in to a EMS window.
You do not have to use them for the SSL certificate itself.
Once the command has been run, it will generate a certificate request. You need to open that in notepad and copy and paste the complete request in to the window as per the instructions from the SSL certificate supplier. You will then get a response back to import.
Again another nice Microsoft article that can be shortened to something quite simple.
This is the command that you need to use to import the certificate response that you have received from your supplier:
You may have additional instructions from the supplier, such as root and intermediate certificate installation which should be completed before importing the certificate response.
The last area that can cause a problem is getting the URLs correct.
Unlike Exchange 2003, where you could address the server by any name that you liked as long as it resolved, Exchange 2007 requires things to match. Therefore you have to ensure that the URLs are set correctly in the application for the virtual directories, connectors etc.
After the explanations of what needs to be done, what is the full list?
If you have changed the external name being used by RPC over HTTPS users on Outlook 2003 then they will have to change the configuration manually.
Once complete, test it using Outlook 2007. Hold down CTRL and right click on the Outlook icon in the system tray. Choose Test Autodiscover and run the tests to see what URLs are being issued.
For external testing, use the Test Exchange Connectivity Site web site from Microsoft.
© Sembee Ltd. 1998 - 2015.
Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions.
All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned within and is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.
Sembee Ltd. is registered in England and Wales at 33 Scrivens Mead, Thatcham, Berkshire, RG19 4FQ.
Registered company number: 4704428. VAT Number GB 904 5603 43.
Sembee is a registered trademark of Simon Butler and is used under licence.