{"id":206,"date":"2014-09-10T16:28:19","date_gmt":"2014-09-10T16:28:19","guid":{"rendered":"http:\/\/nofl.biz\/blog\/?p=206"},"modified":"2014-09-10T16:28:19","modified_gmt":"2014-09-10T16:28:19","slug":"microsoft-exchange-certificates","status":"publish","type":"post","link":"https:\/\/beneford.com\/Blog\/index.php\/2014\/09\/10\/microsoft-exchange-certificates\/","title":{"rendered":"Microsoft Exchange Certificates"},"content":{"rendered":"

The problem: How to use the Server’s CA to create a certificate with all the names you need included.<\/p>\n

Typically, an exchange certificate should have the names for the externally visible website and the autodiscover site – which may not match the actual name of the server.<\/p>\n

This is what you need to do.<\/p>\n

Create a .cer Certificate – using Powershell<\/h2>\n

Using Powershell, you can run a script: CreateCertificate.ps1<\/p>\n

Param([Parameter(Mandatory=$true)] $f)\n$data = New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName \"c=GB, l=<location>, o=<organization>, cn=<website>\" -includeAutoDiscover -includeAcceptedDomains -DomainName <domain-name> -privatekeyexportable $true\nSet-Content -path \"$f.csr\" -Value $data\nCertreq -submit -attrib \"CertificateTemplate:WebServer\" \"$f.csr\" \"$f.cer\"<\/pre>\n
Then run the script with the parameter of the name of the certificate.<\/p>\n
Create a .cer Certificate Request – using a text file<\/h2>\n
To avoid typing in all the details every time, create a file: CertificateData.inf (see http:\/\/technet.microsoft.com\/en-gb\/library\/ff625722(v=ws.10).aspx<\/a> for source):<\/p>\n
[Version]\nSignature=\"$Windows NT$\"\n\n[NewRequest]\nSubject = \"CN=<website>\" ; Remove to use an empty Subject name.\n;Because SSL\/TLS does not require a Subject name when a SAN extension is included, the certificate Subject name can be empty.\n\nExportable = FALSE\u00a0\u00a0 ; TRUE = Private key is exportable\nKeyLength = 2048\u00a0\u00a0\u00a0\u00a0 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384\nKeySpec = 1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Key Exchange \u2013 Required for encryption\nKeyUsage = 0xA0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Digital Signature, Key Encipherment\nMachineKeySet = True\nProviderName = \"Microsoft RSA SChannel Cryptographic Provider\"\n\nRequestType = PKCS10 ; or CMC.\n\n[EnhancedKeyUsageExtension]\n; If you are using an enterprise CA the EnhancedKeyUsageExtension section can be omitted\nOID=1.3.6.1.5.5.7.3.1 ; Server Authentication\nOID=1.3.6.1.5.5.7.3.2 ; Client Authentication\n\n[Extensions]\n; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7\n; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.\n2.5.29.17 = \"{text}\"\n_continue_ = \"dns=<website>&\"\n_continue_ = \"dns=<website.autodiscover>&\"\n; Multiple alternative names must be separated by an ampersand (&).\n\nCertificateTemplate = WebServer\u00a0 ; This is the template name used by the Cerficiate authority.<\/pre>\n
Then run:<\/p>\n
certreq -new CertificateData.inf CertificateData.req\ncertreq -submit CertificateData.req CertificateData.cer<\/pre>\n
Convert .cer to .pfx and import into Exchange<\/h2>\n
Convert .cer to .pfx by importing the .cer into a certificate store and then exporting it:<\/p>\n
Run mmc.exe, and Add the Certificates snap-in (Computer account, Local Computer).<\/p>\n
Import the certificate into the Personal\\Certificates folder and then export it
\n– export the private key, select PKCS#12 and include all certificates in the path and export all extended properties. You will need to provide a password.<\/p>\n
Next, run Exchange Management Console as Administator.<\/p>\n
Select Server Configuration, and under Exchange Cetrtificates, import the certificate you just exported. Then run Assign Services to Exchange and select all (except Unified Messaging).<\/p>\n
You may need to restart IIS for the certificate to be picked up.<\/p>\n","protected":false},"excerpt":{"rendered":"
The problem: How to use the Server’s CA to create a certificate with all the names you need included. Typically, an exchange certificate should have the names for the externally visible website and the autodiscover site – which may not match the actual name of the server. This is what you need to do. Create […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-206","post","type-post","status-publish","format-standard","hentry","category-pc-support"],"_links":{"self":[{"href":"https:\/\/beneford.com\/Blog\/index.php\/wp-json\/wp\/v2\/posts\/206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/beneford.com\/Blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/beneford.com\/Blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/beneford.com\/Blog\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/beneford.com\/Blog\/index.php\/wp-json\/wp\/v2\/comments?post=206"}],"version-history":[{"count":0,"href":"https:\/\/beneford.com\/Blog\/index.php\/wp-json\/wp\/v2\/posts\/206\/revisions"}],"wp:attachment":[{"href":"https:\/\/beneford.com\/Blog\/index.php\/wp-json\/wp\/v2\/media?parent=206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/beneford.com\/Blog\/index.php\/wp-json\/wp\/v2\/categories?post=206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/beneford.com\/Blog\/index.php\/wp-json\/wp\/v2\/tags?post=206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}