Announcement

Collapse
No announcement yet.

SSL Certificate in Exchange 2007

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL Certificate in Exchange 2007

    Hi all..

    I have a small problem. Earlier this year a company I do work for upgraded their servers. One of the server moves was going from Exchange 2003 to Exchange 2007. The upgrade (or Transition, Migration, or whatever it's called these days), went well.

    Here is the problem...we had generated a self signed SSL certifcate for using OWA. After the move to exchange 2007, there are errors with the certificate. Normally this hadn't been a problem. Until one of the owners purchased a Motorola Q and wanted to be able to sync with exchange out of the office. I installed the Certificate on the device but get that there are errors. I am sure that somewhere there is an issue with the name due to the server replacements.

    My question is how do I replace the certificate in Exchange 2007? Do I need to to remove the old certif?

    Any help would be greatly appreciated.

    Thanks
    Mike

  • #2
    Re: SSL Certificate in Exchange 2007

    Self generated SSL certificates are not supported for use with Exchange ActiveSync and Outlook Anywhere. Therefore you will need to replace it with a commercial certificate.
    I usually recommend GoDaddy certificates as they are trusted by most Windows Mobile devices and are also cheap. The type of certificate that you need is called SAN or UC certificate and cost from US$60/year. http://certificatesforexchange.com/

    I have outlined exactly what is required on my blog here: http://www.sembee.co.uk/archive/2008/05/30/78.aspx

    Simon.
    Last edited by Sembee; 17th April 2013, 19:08. Reason: URL Correction
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: SSL Certificate in Exchange 2007

      Thanks for the info. I will take a look. I am assuming that the same certif will work for OWA as well?

      Thanks

      Mike

      Comment


      • #4
        Re: SSL Certificate in Exchange 2007

        The certificate will work for everything within Exchange (OWA, Outlook Anywhere, POP3, IMAP, SMTP, Unified Messaging) if you enable it to do so.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: SSL Certificate in Exchange 2007

          I have also had the same problems with Exchange Certificicates. If you need users to connect to your site over the internet, you need a commercial certificate. If not, you can setup an Internal CA and use that for your certificate requirements. I used this in Exchange 2007 now and use activsync, OWA etc etc.

          I found this invaluable.

          http://technet.microsoft.com/en-us/l.../bb332063.aspx

          It refers to autodiscover but will work for all aspects of Exchange 2007. It is then automatically trusted in your domain or if not, Group Policy can be used.

          Comment


          • #6
            Re: SSL Certificate in Exchange 2007

            Thanks for the info Virtual.

            I will take a look at the link.

            So you are using self signed certifs? What kind of mobile devices are connecting?

            Is there any good info on setting up and using my own CA and self signed certifs? I have been researching this for what seems like a lifetime and find a lot of conflicting information. My biggest problem right now is there is already a certif assigned to OWA and Activesync. However, it has incorrect information due to being transferred from the old 2003 exchange. I am assuming I just need to remove this old certif before importing a new one.

            Sorry for all the newb questions. Just want to make sure I get things right.

            If I have to purchase a certif. I was looking at Godaddy. Do I just need the Standard SSL?

            Again, thanks for all the help...

            Mike

            Comment


            • #7
              Re: SSL Certificate in Exchange 2007

              No problems with the questions Mike. I have found these forums so useful I like to help out when I can.

              When Exchange 2007 is installed, it automatically assigns itself the Self Signed certificate. You can view this certificate by opening up IIS on the Exchange 2007 server and viewing the certifcate via the Directory Security Tab of the Default Website Properties. This is the one used by default for the Virtual Directories below it. This includes the OWA, autodiscover, exchange etc. Look at the same on the Properties of OWA to see if it is using that Certificate or another brought over from Exchange 2003. However, I wasn't using SSL in 2003 Exchange and when Exchange 2007 is installed, OWA is automatically created to use SSL and given the self-certified certificate.

              To create my CA and to receive the correct internal CA certificate, I entirely used the procedure I have given you. There are also some good Power Shell commands in the procedure that will export the relevant settings for creating your internal CA.

              My internal Certifcate has the following.

              Subject: Domain.Local
              Subject alternative Names: Domain.Local, autodiscover.domain.local, 2k7 Server BIOS Name. e.g. Server, FQDN of 2k7 Server. e.g. Server.Domain.Local.

              I don't use SSL externally for OWA etc. otherwise, if this was for External use, I would add the external name as the key Subject field. E.g. OWA.Domain.com.

              I reckon you have a couple of choices. You could just use the 3rd Party SSL certificate (from Go Daddy to do all), though this can become costly. You are also best to contact them regarding one for Exchange. I had problems with initially looking in to this and found I couldn't get one for my internal names as an email had to be sent to a valid Domain name.

              Or, you again will need confirmation of this from an SSL supplier, you can use the Standard SSL from GoDaddy just for the domain name used for accessing email from home and then Microsoft's Internal CA for the rest. All you have to do is set the Micrsoft's Certificate on the Default website in IIS and then set the GoDaddy Cert on the OWA site. You will need to carry out further research if you use ISA.

              This is useful if you need to ensure your CA is trusted by all domain clients.

              http://technet.microsoft.com/en-us/l.../cc738131.aspx

              When I installed mine, it automatically beecame trusted and the Security warnings stopped.

              Also, keep in mind that even though there is a warning, if the user continues, the communication between the Exchange server and client is still encrypted so is secure.

              Hope this helps. Feel free to ask any other questions and to boost my reputation points if you have found it useful.

              Thanks

              Comment


              • #8
                Re: SSL Certificate in Exchange 2007

                This may be of use as well.

                http://www.petri.com/configure_ssl_on_owa.htm

                This also has a link to how to install your internal CA.

                Comment


                • #9
                  Re: SSL Certificate in Exchange 2007

                  Originally posted by Virtual View Post
                  This may be of use as well.

                  http://www.petri.com/configure_ssl_on_owa.htm

                  This also has a link to how to install your internal CA.
                  Beware, the process in Exchange 2007 is very different from 2003
                  Follow Sembees excellent notes and all will be well (the voice of experience here!)
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: SSL Certificate in Exchange 2007

                    And this one.

                    http://technet.microsoft.com/en-us/l...EXCHG.80).aspx

                    With regards to activsync, I just use the Blackberry Desktop Manager software. I set this to use the local computer's Outlook Profile, the one that has the Outlook account configured. This then allows me to set the calender and contacts to synchronise with Outlook and the Blackberry. All emails are forwarded to an external O2 email server, hosted by Blackberry. These are then downloaded on to the blackberry phone.

                    Comment


                    • #11
                      Re: SSL Certificate in Exchange 2007

                      You CAN use self signed certificates with OWA and outlook anywhere and active sync.

                      We were under the same belief as the rest of you until we had Microsoft on the line looking at a different issue and the Tech kindly demonstrated how to issue the cert etc..

                      I am unsure of this but I believe the cert server must be server 2008.

                      anyways our self signed cert is working great with blackberry's and iphones etc..

                      I do agree that a commercial cert is always the better way to go.
                      Stacey Smith
                      Sr. Systems Engineer

                      The rule is perfect: in all matters of opinion our adversaries are insane --Samuel Clemens

                      Comment


                      • #12
                        Re: SSL Certificate in Exchange 2007

                        Self signed certs work fine generated from wherever the problems are just that you end up having to install the root certificate on the devices (some devices originally didn't let you do this for example). You then have to get that to people and onto the PC/Device which could involve sending it out with insecure methods and training users to do it. Devices may need plugging into machines etc.
                        With a public cert it all works pretty much straight out of the box. You can setup active sync with just server name, username and password nothing more.

                        The only differences between them really is that a public cert is already trusted by the majority of devices plus they are really cheap now!

                        Anyway ... rant over
                        cheers
                        Andy

                        Please read this before you post:


                        Quis custodiet ipsos custodes?

                        Comment


                        • #13
                          Re: SSL Certificate in Exchange 2007

                          The use of the self signed certificate is not supported....

                          http://technet.microsoft.com/en-us/l...EXCHG.80).aspx

                          One of the key lines is this:

                          "Important: The self-signed certificate is not supported for use with Outlook Anywhere or Exchange ActiveSync. "

                          Therefore while you can get it to work, it isn't supported and the hassle involved when the certificates are so cheap makes the process rather pointless.

                          Simon.
                          --
                          Simon Butler
                          Exchange MVP

                          Blog: http://blog.sembee.co.uk/
                          More Exchange Content: http://exchange.sembee.info/
                          Exchange Resources List: http://exbpa.com/
                          In the UK? Hire me: http://www.sembee.co.uk/

                          Sembee is a registered trademark, used here with permission.

                          Comment


                          • #14
                            Re: SSL Certificate in Exchange 2007

                            Hi all,

                            Sorry for the length of time on my reply. Had some issues that were not IT related.

                            Anyway, just wanted to update on what I did. I ended up purchaseing a certif and went that way. I looked at all the other options and due to all the other projects I had going on I found it more to my advantage to go the commercial route.

                            I appreciate everyones help with this and hope to provide my two-cents worth in other posts.

                            Thanks
                            Mike

                            Comment

                            Working...
                            X