Requesting and installing SSL certificates in Exchange 2010 is a lot easier than it was with Exchange 2007 and is actually better to do through the wizard than the Exchange Management Shell. This page will guide you through that wizard.
This guide also applies to SBS 2011 users, but they should read the notes on this page first.
This guide is aimed at people using an external SSL provider, such as Certificates For Exchange.
- Open the Exchange Management Console, and click on Server Configuration.
- In the lower box labelled "Exchange Certificates", right click and choose "New Exchange Certificate...". You can also select New Exchange Certificate from the Action pane on the right hand side.
- Enter a friendly name. This can be anything that you like. In this example "Exchange 2010" has been used. You could also use the month - so "Exchange 2010 - July 2011" so that it is clear when the certificate was requested.
- In most cases you would not want to Enable wildcard certificate. Therefore just click Next.
- The wizard now asks you lots of questions. Most of these can be skipped and you can enter the names manually on the next screen. However to be able to proceed you need to enter something. Therefore expand Client Access Server (Outlook Web App) and enter the common name of the server.
This can be anything you like - mail.example.com is a common choice. For SBS 2011 systems, you should use remote.example.com as that is what SBS is expecting to use. Then click next.
If you want to know more about each value in this screen and how it affects your server operation - click here for an in depth explanation.
- On the next screen you can enter additional domains that you want on the certificate.
If you have just clicked through the screen above, then you will only have the common name listed. If you completed the boxes then additional names will be included. This includes the root of the domain - "example.com" which is not required and is often set to the common name. This can actually cause issues with the implementation of Outlook ANywhere, so should be removed.
Choose the add button to enter the additional names that are required. For most implementations you need the following:
Name Explanation host.example.com Common Name - as used for external users to access OWA, ActiveSync etc autodiscover.example.com Autodiscover - this is the domain name after the @ sign of the user's email addresses. If the server is supporting multiple domains AND they are the user's primary email address, then you would need to include multiple variants of autodiscover. server.domain.local The server's internal FQDN server The server's NETBIOS name If you are using SBS 2011 and will be using the Sharepoint functionality, then you can also add "Sites" as an additional name.
If the certificate is going to be used on multiple servers, then you have a number of options.- Include all of the server names in the SSL certificate. Fine for a small implementation, but could get expensive for anything large.
- Do not include the server name at all, and use a split DNS system to ensure that autodiscover.example.com resolves internally. This will require additional changes to the Exchange client access server.
If you are using the Unified Messaging role and will be installing the certificate on that server as well, then the server FQDN name must be included for UM to use it.
Names you do not need to add
There are a number of host names used with Exchange that do not need to be added to the SSL certificate. The main ones are:
- example.com - the root of the domain. This should be pointing at your public web site rather than an internal resource
- The CAS array host name. The CAS array should not resolve externally and no clients connect to it internally using web services, therefore there is no need for it to be listed in the SSL certificate.
- Once you have entered the names, ensure the correct name is listed as the Common name. Then click Next.
- In the next box, enter your company legal information. The Organisation should match your company's legal name and the other information should be accurate.
At the bottom, choose a location to store the request file.
- After clicking Next you will get a summary. Clicking Next will generate the certificate request.
- After completing the request, the wizard tells you the kind of certificate that you need and what to do next.
- When the request is complete, you are ready to pass it to your SSL provider. This usually means opening the request in notepad, then copying and pasting it in to the box on their web site.
Next --> SSL Response Installation and Enabling Services
Exchange 2010 Home Page - Site Home Page
Last Page Update: 15/09/2011
| More Content from Sembee Ltd. | ||
| Resources on exchange.sembee.info | Other Sites | Sembee Ltd. |
| Microsoft Exchange 2003 | Command Prompt Getting Started Guide | Microsoft Exchange Consultancy |
| Microsoft Exchange 2007 | Login Scripts | Director's Blog |
| Microsoft Exchange 2010 | MS Exchange Resources | |
| Microsoft Outlook | Knowledge Base search | |
| Exchange Networking Tasks | Recovery of MS Office content from Temp Files | |
| Amazon Store | Troubleshoot the Automatic Updates Client | |
| UK ISP Status Pages | ||
| © Sembee Ltd. 1998 - 2011. | ||
| Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions. All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned within and is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.
Sembee Ltd. is registered in England and Wales at 33 Scrivens Mead, Thatcham, Berkshire, RG19 4FQ. | ||