Managing SSL for a Client Access Server

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Secure Sockets Layer (SSL) is a method for securing communications between a client and a server. For a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed, SSL is used to help secure communications between the server and the clients. Clients include mobile devices, computers inside an organization's network, and computers outside an organization's network.

By default, when you install Exchange 2007, client communications are encrypted by using SSL when you use Outlook Web Access, Exchange ActiveSync, and Outlook Anywhere. By default, Post Office Protocol version 3 (POP3) and Internet Message Access Protocol Version 4 rev1 (IMAP4) are not configured to communicate over SSL.

Although most client communications are encrypted by using SSL by default, there are still several options that you can configure for SSL on your Client Access server. You should understand the differences between the various types of SSL certificates and the steps that are required to install and configure these certificates for your Exchange Server 2007 organization.

Managing Digital Certificates

Digital certificates are electronic files that work like an online password to verify the identity of a user or a computer. They are used to create the SSL encrypted channel that is used for client communications. A certificate is a digital statement that is issued by a certification authority (CA) that vouches for the identity of the certificate holder and enables the parties to communicate in a secure manner by using encryption.

Digital certificates do the following:

• They authenticate that their holders—people, Web sites, and even network resources such as routers—are truly who or what they claim to be.

• They protect data that is exchanged online from theft or tampering.

Digital certificates can be issued by a trusted third-party CA or a Microsoft Windows public key infrastructure (PKI) infrastructure by using Certificate Services, or they can be self-signed. Each type of digital certificate has advantages and disadvantages. For more information about the types of certificates, see Understanding SSL for Client Access Servers.

Installing Digital Certificates

If you have chosen a Windows PKI-generated certificate or a trusted third-party certificate, you must install the digital certificate on the server. For more information about how to install a certificate, see How to Install an SSL Certificate on a Client Access Server. For a Windows PKI-generated certificate or the default self-signed certificate, you must install a copy of the certificate on the client computers and mobile devices. In most cases, client computers and mobile devices already have a copy of the trusted third-party certificate in their trusted root certificate store. For more information about how to install certificates on client devices, see How to Install Root Certification Authority Certificates on a Windows Mobile-based Device.

For More Information

For more information about SSL and digital certificates, see the following topics:

• How to Request an SSL Certificate

• How to Obtain a Server Certificate from a Certification Authority

• How to Configure SSL Certificates to Use Multiple Client Access Server Host Names