How to Configure SSL Certificates to Use Multiple Client Access Server Host Names
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-10-24
This topic explains how to use the Exchange Management Shell to configure your Secure Sockets Layer (SSL) certificates to use multiple host names.
When you deploy your computers that are running Microsoft Exchange Server 2007 that have the Client Access server role installed, you must make sure that all your clients, such as Outlook Web Access and Outlook 2007, will be able to connect to the services by using an encrypted session without receiving an error message that states that the certificate is not trusted.
|For Internet Security and Acceleration (ISA) Server to handle SSL connections to Exchange 2007, you must include the certificate's own subject name as the first SAN entry when you request a certificate to be used on multiple servers or with multiple host names.|
By using the Exchange Management Shell, you can create a certificate request to include all the DNS host names of the Client Access servers. Then you can enable users to connect to the certificate for services such as Outlook Anywhere, Autodiscover, POP3 and IMAP4, or Unified Messaging that are listed in the alternate names attribute. For example, your users may be able to connect to your Exchange services by specifying the name as shown in the following examples:
Instead of having to require multiple certificates and maintain the configuration of multiple IP addresses and Internet Information Services (IIS) Web sites for each IP port and certificate combination, you can create a single certificate that enables clients to successfully connect to each host name by using SSL or Transport Layer Security (TLS).
You can create a single certificate by adding all the possible DNS name values to the certificate Subject Alternative Name property on the certificate request. A Microsoft Windows-based Certificate Services certification authority should create a certificate for such a request.
|Third-party or Internet-based certification authorities will issue certificates only for DNS names for which you are authorized. Therefore intranet DNS names will likely not be allowed.|
To configure your SSL certificates to use multiple Client Access server host names, do the following:
Use the New-ExchangeCertificate cmdlet to create a certificate request file.
Send this file to a Windows Certificate Services certification authority and use the Web server template on the Certification Authority page. This will result in a .cer file that can be imported to the Client Access server.
Use the Get-ExchangeCertificate cmdlet to determine the thumbprint for your certificate.
After you have imported the certificate, you can assign it to IIS, IMAP4, and POP3 by using the Enable-ExchangeCertificate cmdlet.
To perform the following procedures, the account you use must be delegated the Exchange View-Only Administrator role.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
|Before you perform the following procedures, you must read Managing Client Access Security.|
|As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".|
|There are many variables that you must consider when configuring certificates for SSL or TLS services. You must make sure that you understand how these variables may affect your overall configuration. Before you proceed, read Creating a Certificate or Certificate Request for TLS.|
Run the following command:
New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso Corporation,cn=exchange.contoso.com" -domainname exchange.contoso.com, CAS01,CAS01.exchange.corp.constoso.com, autodiscover.contoso.com -PrivateKeyExportable $true -path c:\certrequest_cas01.txt
This command will create a text file that contains a certificate request in PKCS#10 format.
Run the following command:
Import-ExchangeCertificate -path <certificate_file_name>.cer -friendlyname "Contoso CAS01"
To determine the thumbprint, run the following command:
Get-ExchangeCertificate -DomainName "CAS01"
|This command will return multiple certificates if there are several certificates that match the host name that you specified. Therefore, make sure that you select the thumbprint of the correct certificate for your request.|
To assign the certificate to IIS, POP3, and IMAP4, run the following command:
Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services "IIS,POP,IMAP"
Or, alternatively, to assign the certificate to a server, which in turn assigns the certificate to all services that are running on the Exchange server, run the following command:
Import-ExchangeCertificate -path <certificate file name> -friendlyname "Contoso CAS01" | enable-exchangecertificate -services "IIS,POP,IMAP"
For more information about syntax and parameters for the Import-ExchangeCertificate, Enable-ExchangeCertificate, Get-ExchangeCertificate and New-ExchangeCertificate cmdlets, see Global Cmdlets.
For more information about how to create certificates or certificate requests for SSL or TLS, see Creating a Certificate or Certificate Request for TLS.