The problem: How to use the Server’s CA to create a certificate with all the names you need included.
Typically, an exchange certificate should have the names for the externally visible website and the autodiscover site – which may not match the actual name of the server.
This is what you need to do.
Create a .cer Certificate – using Powershell
Using Powershell, you can run a script: CreateCertificate.ps1
Param([Parameter(Mandatory=$true)] $f) $data = New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=GB, l=<location>, o=<organization>, cn=<website>" -includeAutoDiscover -includeAcceptedDomains -DomainName <domain-name> -privatekeyexportable $true Set-Content -path "$f.csr" -Value $data Certreq -submit -attrib "CertificateTemplate:WebServer" "$f.csr" "$f.cer"
Then run the script with the parameter of the name of the certificate.
Create a .cer Certificate Request – using a text file
To avoid typing in all the details every time, create a file: CertificateData.inf (see http://technet.microsoft.com/en-gb/library/ff625722(v=ws.10).aspx for source):
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=<website>" ; Remove to use an empty Subject name.
;Because SSL/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty.
Exportable = FALSE ; TRUE = Private key is exportable
KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10 ; or CMC.
[EnhancedKeyUsageExtension]
; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7
; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
2.5.29.17 = "{text}"
_continue_ = "dns=<website>&"
_continue_ = "dns=<website.autodiscover>&"
; Multiple alternative names must be separated by an ampersand (&).
CertificateTemplate = WebServer ; This is the template name used by the Cerficiate authority.
Then run:
certreq -new CertificateData.inf CertificateData.req certreq -submit CertificateData.req CertificateData.cer
Convert .cer to .pfx and import into Exchange
Convert .cer to .pfx by importing the .cer into a certificate store and then exporting it:
Run mmc.exe, and Add the Certificates snap-in (Computer account, Local Computer).
Import the certificate into the Personal\Certificates folder and then export it
– export the private key, select PKCS#12 and include all certificates in the path and export all extended properties. You will need to provide a password.
Next, run Exchange Management Console as Administator.
Select Server Configuration, and under Exchange Cetrtificates, import the certificate you just exported. Then run Assign Services to Exchange and select all (except Unified Messaging).
You may need to restart IIS for the certificate to be picked up.
Leave a Reply