Tuesday, 6 October 2015

Exchange 2013 - Install certificate (Part 2)

In Part 1, we looked at how to choose what type of certificate we need, (self-signed, signed by internal CA or signed by public CA), how to create a certificate request and then how to import the certificate into Exchange. In this part, we'll look at how to set up Exchange to use the certificate. 


As we mentioned in the last post, Exchange requires SSL certificates for each client access service. These include the below services:

  • Outlook Anywhere
  • Autodiscover
  • Offline Address Book
  • Exchange Web services
  • Outlook Web Access
  • Exchange Control Panel

In our example, we have a single Exchange server, litex01.litwareinc.com and we'll be assigning services to our new certificate which we imported in Part 1. Currently we will be getting certificate errors in Outlook:

The security certificate was issued by a company you have chosen not to trust

How to assign services to a certificate

1) Check and identify the certificate

Open the Exchange Management Shell and run the below command on one line:

Get-ExchangeCertificate | fl FriendlyName,Issuer,IsSelfSigned,NotAfter,NotBefore,Status,Thumbprint,Services

Here you can see the certificate called "Litwareinc Exchange" that we imported in Part 1. We can see that it has a status of "valid", is not self signed, check the expiry date and can see that it has not been assigned to any services so Exchange is not using it. 

Copy the Thumbprint for the certificate, 576B0C640BA47663C6C78280D12BFF7FCD68CA08.

2) Enable the certificate for use by the IIS service

The next step is to enable the certificate for use by the IIS and other services so that Exchange will use it for OWA, Outlook Anywhere, OAB, EWS, Autodiscover, POP, IMAP and SMTP. 

Run this command on a single line to enable the certificate for the IIS service:

Enable-ExchangeCertificate -Thumbprint 576B0C640BA47663C6C78280D12BFF7FCD68CA08 -Services IIS,SMTP,POP,IMAP

3) Confirm that Exchange is using the new certificate

We can do this in a number of ways. Firstly, we can use the Get-ExchangeCertificate command as we ran earlier:

Get-ExchangeCertificate | fl FriendlyName,Issuer,IsSelfSigned,NotAfter,NotBefore,Status,Thumbprint,Services

Secondly, we can open OWA and hopefully we no longer have any certificate warnings. Below we can see that the certificate is trusted and there are no errors in IE. 


In this post, we've gone through how to assign services to our newly created certificate. In an upcoming post, I'll demonstrate how to resolve certificate errors. 

No comments:

Post a Comment