Tuesday, 29 September 2015

Exchange 2013 - Install certificate (Part 1)

In this first part of a multi-part post, I'll do a run through on how to create a certificate request then import the certificate into Exchange. I'll break down the process to smaller steps and explain each step. 


Introduction

Exchange requires SSL certificates for each client access service. These include the below services:


  • Outlook Anywhere
  • Autodiscover
  • Offline Address Book
  • Exchange Web services
  • Outlook Web Access
  • Exchange Control Panel

An SSL certificate is also required for TLS which in itself is a topic for another post but I'll explain what you need on the certificate to prepare you for TLS. 


1 - Choose between self-signed vs Internal Certificate Authority vs Public Certificate Authority

Ok, so that's a long title. It's important to work out what type of certificate you require when you are configuring Exchange. This can prevent a lot of issues with Outlook prompting for credentials and sometimes being unable to connect at all. 

Self signed certificates are created by the local server and are not signed by any authority. The server is self-certifying it's identity - these certificates are therefore not trusted by clients.

Certificates issued by an internal Certificate Authority (CA) are certificates provided by a server on your network running Certificate Services. They are trusted by domain joined clients only.

Certificates issued by a public CA are trusted by all clients - domain joined and non-domain joined. 

See the below table for a comparison between the three types of certificate.


A certificate from a Public CA like Thawte, GoDaddy or Verisign is recommended although there is a cost to this. 


2 - Work out what Subject Names are required on your certificate

In our example, we have a simple setup of a single Exchange 2013 multi-role server (CAS and MBX).

  • Internal hostname: litex01.litwareinc.com
  • External hostname: mail.litwareinc.com (this is what clients will connect to for OWA and other services)

Exchange needs to use the certificate for a number of services. All of these services can be configured to use just two names on a certificate. 

The below services can use a single name of mail.litwareinc.com


  • Outlook Anywhere
  • Offline Address Book
  • Exchange Web services
  • Outlook Web Access
  • Exchange Control Panel

The last service is Autodiscover and this service needs to use a hostname of autodiscover.yourdomain.com, in our case: autodiscover.litwareinc.com. 

The two names we require on our certificate are therefore:

  • mail.litwareinc.com
  • autodiscover.litwareinc.com

You may be now asking the question "but what about the internal server name?" The answer to this is that it's not required on the certificate as we will configure the Autodiscover service not to use the internal name of the server. 

Note that if you are migrating from Exchange 2007 or 2010, you may need additional names on your certificate however this will need its own post. 

You can choose to use a Wildcard certificate if you want. These are useful as it would include all names under a particular domain, i.e. *.litwareinc.com which means you can use the same certificate for other services. It is however not as secure because it is not specifically requested. There can also be issues with some versions of Lync and older mobile devices which don't accept wildcard certificates. 

3 - Create a certificate request

This is possible using PowerShell or the Exchange Admin Center. We'll go through the steps for both approaches but you only need to choose one approach. For each approach, you need to use an administrative account that is a member of the Server Management Role Group which includes the "Exchange Server Certificates" role. 

Using Exchange Admin Center:

1) Log into https://litex01.litwareinc.com/ecp 

Note the address bar is red - this is because the default certificate is self signed and therefore not trusted by the client I'm using.




2) Click on Servers then click on Certificates

Note that here you can see the self-signed certificates that Exchange creates when the server is installed. 




3) Select the correct server from the drop down then click Add +




4) Select "Create a request for a certificate from a certification authority" and click next



5) Enter a friendly name for the certificate then click next

This can be any name - it is not used by clients but may be visible if the user clicks on the certificate in the address bar in Internet Explorer to view more details. 

In our case, we'll set a friendly name of "Litwareinc Exchange"



6) Here you get the option to request a wildcard certificate. In our case, we don't want this so will click next. 



7) Select a server to store the certificate request on then click next



8) On this next step, the wizard asks for a domain name for each Exchange service. 

In our case, we will set everything to use mail.litwareinc.com and autodiscover to use autodiscover.litwareinc.com.



9) In the next screen, we can see a list of the unique domain names that we have entered.

We see litwareinc.com listed. We don't require this name but Exchange adds it in automatically so we'll remove it to leave just the two we require. 



10) Specify information about your company then click next

For this fictional company in my test lab, it is based in Hong Kong, China



11) Specify a location to save the certificate request then click finish



12) The certificate is now a pending request as per the screenshot below. The next step will be to request the certificate from the Public CA you choose. Each CA has different instructions on how to do this. 



13) Once your CA has issued the certificate, you should be able to download a .cer file. Click on Complete as per the screenshot above then enter the path to the .cer file you received then click ok.



14) You should now see your new certificate listed.




Using PowerShell:

1) Open up the Exchange Management Shell and run the below command:

Set-Content -Path "C:\temp\certreq.req" -Value (New-ExchangeCertificate -GenerateRequest -SubjectName "c=HK, o=Litwareinc, cn=mail.litwareinc.com" -DomainName mail.litwareinc.com,autodiscover.litwareinc.com -PrivateKeyExportable $True -FriendlyName "Litwareinc Exchange")



In the above script, we've set the certificate request file path to be c:\temp\certreq.req. Yes, that is correct - we've just done 11 pages of a Wizard in a single line of PowerShell! Now you know why I prefer to use PowerShell.

2) Confirm the contents of C:\temp\certreq.req by running the below command or using notepad to open the file

Get-Content C:\temp\certreq.req



3) Request the certificate from your CA - download the .cer file to your Exchange server. Again, see instructions from your CA.

4) Import the certificate back into Exchange. Use the below command to import your .cer file:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\temp\litex01.litwareinc.com.cer -Encoding byte -ReadCount 0))



5) Confirm that the certificate has been installed properly by running the below command

Get-ExchangeCertificate | fl FriendlyName,Subject,NotBefore,NotAfter,Status,Services




Conclusion

In part 1, we've discussed the requirements for Exchange certificates and also demonstrated how to create a certificate request and complete it using both the Exchange Admin Center and PowerShell. In part 2, we'll configure Exchange to use the new certificate.

No comments:

Post a Comment