Exchange Configuration - More on certificates for Exchange 2007

I was looking through my old certificate notes and found this. Might come in handy for someone.

 

Exchange Configuration - Certificates for Exchange

 

Prologue

This document is aimed at IT staff / Systems Administrators who wish to understand more fully the role of Exchange Server and are looking to implement the product. This is not a hard and fast document and any actions taken from reading this document are done so at your own risk entirely. It is understood that prior to reading this document, you are familiar with the concepts of the following:

Certificate services

Command prompt J

Exchange Server 2007

Windows Server 2003 with the admin pack installed

 

Introduction

Certificates are simple to implement in Exchange Server 2007 unless your internal domain and your public domain have different names.

 

Project aim

How to generate and install a certificate for Exchange 2007 that will support internal MAPI access for Outlook 2007 and Outlook 2003 and external access to OWA activesync and Outlook Anywhere. This document assumes you are using:

                        1. Microsoft certificate services to generate a self certified certificate.

                        2. An internal domain name that differs from your external domain name (FQDN).

 

When your internal domain name is different from your external conventions then the certificate must be generated with “Subject Alternative Name” or SAN for short. Unfortunately, Microsoft’s certificate services do not support this out of the box so you first have to enable it. To do this, logon as an administrator to the server running certificate services. START, Run, cmd to start a command prompt. At the command prompt, enter the following commands:

 

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

net stop certsvc

net start certsvc

 

To undo this command, start a command prompt and enter the following commands:

 

certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

net stop certsvc

net start certsvc

 

What has this done? There is now a new registry key called "policy/editflags" in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

which has a value of editf_attributesubjectaltname2

 

You could set that attribute using the following .reg file if you wish:

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration] "policy/editflags"=hex(7):65,00,64,00,69,00,74,00,66,00,5f,00,61,00,74,00,74,\ 00,72,00,69,00,62,00,75,00,74,00,65,00,73,00,75,00,62,00,6a,00,65,00,63,00,\ 74,00,61,00,6c,00,74,00,6e,00,61,00,6d,00,65,00,32,00,00,00,00,00

 

Ensure that you have restarted the Certificate Services service before continuing. This can be done manually at the command prompt as above or by using the Services Control Panel.

 

Creating and installing the certificate

Using Internet explorer navigate to \\servername\certsrv where “servername” is the name of the server running certificate services.

 

Select “Request a certificate” then select “Advanced Certificate Request” Followed by “Create and submit a request to this CA”

 

In the name field enter your external domain name for the server such as domain.com, and the other identifying info as required Change the certificate type to “Server” Select “Mark keys as exportable”

 

In the attributes box enter your domain information using the following syntax: san:dns=mail.externaldomain.com&dns=mail.internaldomain Where mail.externaldomain.com is the FQDN for OWA / Outlook Anywhere access that you use from outside the LAN and mail.internaldomain is the server name and domain name used internally on your LAN. In the friendly name enter your external domain name such as mail.externaldomain.com

 

Click Submit.

 

Go to the “administration tools” and run the certificate authority program to issue the certificate by using Internet explorer to navigate to \\servername\certsrv Select “View the status of a pending certificate”, then select your server certificate Then select “install this certificate” and click “Yes” to install.

 

Exporting the certificate

Click Start, Run, “mmc.exe” (without quotes). Click “File” “Add/remove snapin”, “Add” and then “Certificates”. Click Add once more

Select “My user account”, “Close”, “OK” Navigate to “Personal” “Certificates”

Right mouse click on your certificate and select “All tasks” then “Export” Click “Next”, “Yes” (for the private keys export), “Next” Enter the password (twice) then “Next” Enter a filename eg “c:\cert.pfx”

 

Click “Next” then “Finish”

 

Close the MMC then copy the file “c:\cert.pfx” onto the Exchange 2007 Server that holds the client access role (CAS).

 

Importing the certificate

Log onto the exchange 2007 server that holds the client access role.

Start, Run “mmc.exe” (without the quotes), select “File” “Add/remove snapin”, “Add”, “Certificates”. Select “Computer account”, “Close”, “OK”.

Navigate to “Personal”, “Certificates”, right click on “Certificates”, select “All tasks” then “Import”.

Select “next” and then enter the path and filename to where you copied the certificate, such as “c:\cert.pfx”.

Enter the password.

Important note: Do NOT select the “mark this key as exportable” box!

Click “Next”, “Next”, “Finish”.

Run the IIS manager, select the “Default web site”, right click and choose “properties”.

Select “Directory security”, “Server certificate”, “Assign an existing certificate” and select the certificate.

 

Assigning the certificate to the SMTP receivers

Run “mmc.exe”, select “File”, “Add/remove snapin”, “Add”, “Certificates”.

Select “Computer account”, “Close”, “OK”.

Navigate to “Personal” “Certificates” , double click on the certificate that you added and select the details tab.

Scroll down to the thumbprint field and make a note of the value / copy it to the clipboard.

Load up the Exchange management shell and enter the following command: enable-exchangecertificate -Thumbprint <Thumbprint as per above number> -Services SMTP

Exchange will now be able to work with both the internal and external domain names and Office 2007 will not give certificate warnings.

 

Note: The same certificate that has just been generated will also need to be attached to the “Listener” service on ISA 2004/2006 to allow SSL bridging to your Exchange server.