Exchange 2007 Requires a UCC certificate in order for the various services within exchange to work properly. Exchange likes to see an SSL certificate for each of it’s services, internal and external so in order to cover all bases I typically create a certificate with the following Subject Alternative Names (SANs) (assuming that the server’s name is “mailserver” the external company name is “company.com” and the internal Active Directory name is “company.local”):
- Public FQDN of the Server (mail.company.com)
- Private FQDN of the Server (Mailserver.company.local)
- Netbios name of the server (mailserver)
- for the last SAN feel free to use WWW, or anything else so that you can use this expensive certificate on your IIS servers as well
Godaddy.com allows you to create a UCC certificate with a Domain name, and up to 4 additional SANs, for a total of 5 FQDNs per certificate.
The first thing you’ll need to do is to log into your godaddy.com account, purchase a UCC certificate and the start the wizard to configuring it. When it asks you for your CSR you’ll need to follow these instructions on your exchange server in order to create one:
- Open the Exchange Management Shell.
- The first thing I do is run the following command to get a handle of what certificates are currently installed:
Dir cert:\LocalMachine\MY | fl
- To Generate a new CSR you’ll need to enter the following command:”
New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=COUNTRY, l=CITYNAME, s=STATENAME, o=COMPANY NAME,cn=FIRST FQDN" -domainname SAN1, SAN2, SAN3, SAN4 -PrivateKeyExportable $true -path c:\certrequest.txt” You’ll have to fill in the BOLD sections with your own information and the SANs that we created above.
- Once You’ve run the command, copy the contents of
C:\certrequest.txtinto the Godaddy.com CSR request field and continue the wizard.
- The wizard will complete, and eventually you’ll get an email from Go Daddy that your request is completed and you can download the certificate. Download the zip file to you exchange server and extract it to a folder. The zip file will contain two Certificates, an intermediates.p7b file and your FQDN.crt file.
- You’ll have to follow these instructions from Go Daddy to install their Intermediate certificate and disable their older Class 2 Root Certificate, I’ve included these instructions verbatim here, but you’ll probably want to follow the most recent set of instructions from them when you download the certificate.
- Once the Intermediate is installed, and the Class 2 Root Certificate is disabled, you can install the new certificate on the Exchange server by moving the .crt file to c:\ and typing the following in the Exchange Shell:”
Import-ExchangeCertificate –path c:\FQDN.crt” You’ll need to change the name of the .crt file to match that of the one you were sent.
- Type ”
Dir cert:\LocalMachine\MY | fl“again and copy the thumbprint of the newly installed certificate.
- To enable the certificate type: ”
Enable-ExchangeCertificate –Thumbprint XXXXXXXXXXXXXXXXXXXXX –services “iis,IMAP,POP”” replace the Bolded X’s with the thumbprint you copied from step 8. IMAP and POP are optional, and I don’t typically configure SMTP with SSL either.
That’s it! You’re new SSL certificate is now installed.