exchange server 2013 certificate · pdf filehow to request and configure exchange server 2013...
TRANSCRIPT
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
How to Request and Configure Exchange Server 2013 Certificate
Login into Exchange Admin Center (EAC) and click on Servers…> Click on Certificate and then click on +
sign.
Click on Next
Mention the friendly name of the certificate and click on Next.
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
Click on Next on this window as we are not going to use Wild Card Certificate. Microsoft recommends
using UC certificate and not the Wild Card Certificate.
Click on Browse button to select the Client Access Server for which you are requesting the certificate
and select the server and click Next
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
On this window you will specify the URL for all the virtual directories you are going to use. Like OWA,
ECP, EWS, Autodiscover, POP, IMAP, Active Sync and Outlook Anywhere.
Once it’s done, click on Next.
Here you will see all the CN name which will be part of the certificate. If you missed any of the name in
previous step, you can click on the (+) sign to add them. Click Next
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
Mention your company information in the above page and click on next. Make sure you mention the
correct name of the company without .com, .net, .local and click Next
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
Before you start mentioning anything in the above window make sure you have a share created on any
one of the server in the environment where this request file can be saved. In my case I have created it
on one of my Exchange 2010 Server. Click finish after providing the file name.
Now are requesting the certificate, next part is to complete it to complete it as status is showing
Pending Request we have 2 option.
1: Internal Certificate Authority Server
2: Third Party Certificate Authority like GoDaddy, VeriSign, EnTrust, Comodo etc.
It always recommended to use third party Certificate Authority in production environment. As it’s a LAB
environment I will be using internal CA Server.
Go to CA Server which happens to be my Exchange Server 2010. Open IIS and Expand it and go to
Default Web Site (In your case it may be different). Click on CertSrv and in the Actions pan click on
Browse :443 (https)
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
Click on Continue to this website (note recommended).
Click on Request a certificate.
Click on advanced certificate request.
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
Got the that shared folder where you saved the .req file, open it with Notepad and copy everything in it
and paste it here in Based-64-encoded certificate request.
Under Certificate Template click on the drop down and select Web Server and click on Submit.
Choose Base 64 encoded and click on Download certificate and save the certificate in the shared folder.
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
Go to Exchange Admin Center and click on Complete
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
Specify the location including the file name with extension and click on OK. Once you click on OK, status
will change to Valid from Pending Completion.
It’ not over yet, there are few other things which needs to done before we consider it complete.
1. Assign the services to the certificate.
2. Configure all the virtual directories which are in the certificate like OWA, ECP, EWS etc.
3. Check SSL settings on Virtual directory.
4. Test OWA, ECP, Active Sync and Outlook.
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
Assign the services to the certificate by click on the Pen sign after you select the correct certificate.
Your Outlook, OWA, Active Sync, ECP and EWS to work properly, you need to enable the IIS service at least. Run all the below command in Exchange Management Shell to configure these virtual directories. Note: Outlook Web App: Get-OwaVirtualDirectory -Server "ExchangeServerName" | Set-OwaVirtualDirectory -InternalURL https://webmail.exchangeranger.net/owa -ExternalURL https://webmail.exchangeranger.net/owa Exchange Control Panel: Get-ecpVirtualDirectory -Server "ExchangeServerName" | Set-ecpVirtualDirectory -InternalURL https://webmail.exchangeranger.net/ecp -ExternalURL https://webmail.exchangeranger.net/ecp EWS (Exchange Web Services): Get-WebservicesVirtualDirectory -Server "ExchangeServerName" | Set-WebservicesVirtualDirectory -InternalURL https://webmail.exchangeranger.net/EWS/Exchange.asmx -ExternalURL https://webmail.exchangeranger.net/EWS/Exchange.asmx Autodiscover: Set-ClientAccessServer "ExchangeServerName" -AutodiscoverServiceInternalUri https://webmail.exchangeranger.net/Autodiscover/Autodiscover.xml ActiveSync: Get-ActiveSyncVirtualDirectory -Server "ExchangeServerName" | Set-ActiveSyncVirtualDirectory -InternalURL https://webmail.exchangeranger.net/Microsoft-Server-ActiveSync -ExternalURL https://webmail.exchangeranger.net/Microsoft-Server-ActiveSync Offline Address Book: Get-OABVirtualDirectory -Server "ExchangeServerName" | Set-OABVirtualDirectory -InternalUrl https://webmail.exchangeranger.net/OAB -ExternalURL https://webmail.exchangeranger.net/OAB OutlookAnywhere: Set-OutlookAnywhere -Identity "ExchangeServerName\Rpc (Default Web Site)" -InternalHostname webmail.exchangeranger.net -ExternalHostName webmail.exchangeranger.net -
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl:$True -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl:$True If you try to open https://webmail.domain.com/owa in my case it’s https://webmail.exchangeranger.net/owa it will fail with the below error. The reason it’s failing because SSL required on OWA virtual directory is checked. You need to uncheck it as it should not enabled if you are using SSL offloading. I am not using SSL Offload in the LAB but still I need to disable it.
Click on Apply in the Actions Pan section after unchecking it.
Also, you need to create A record with webmail or mail name which on certificate in DNS which points to your CAS Server or your Load Balancer VIP if you are using Load Balancer.
Created by Gulab Prasad www.exchangeranger.com All Rights Reserved.
Now it’s time to check if everything has been done/configured properly or not by logging in to OWA, ECP and Outlook.
OWA and ECP is working fine with certificate prompt that means you have done and followed all steps correctly. In my environment I have exchange server 2010 also and I am able to connect to OWA without any issue at all.
