Tuesday, February 22, 2011

How to install a certificate in Exchange 2010 using an Internal CA

Hi all,
we can install an Active Directory Certificate Services in windows server 2008, in order to configure an Internal PKI infrastructure.After that you will be able to submit server certificates for your Exchange 2010 environment, bear in mind that you will need deploy an installation of your Root CA certificates in your machines in order to trust and avoid the certificate pop up message,

Once you have your PKI infrastructure created (one Enterprise CA is enough), go to your CAS server

[PS] C:\>Set-Content -path "C:\Cert\cert.req" -Value $Data[PS] C:\>$data=New-ExchangeCertificate -GenerateRequest -SubjectName "c=CA,o=Company,cn=webmail.company.ca" -DomainName we
bmail.company.net, webmail.company.ca,autodiscover.company.ca, autodiscover.company.net, CAS1,CAS1.test.ca -FriendlyName webmail.company.net -privatekeyexportable:$true

Creating a new session for implicit remoting of "New-ExchangeCertificate" command...

[PS] C:\>Set-Content -path "C:\Cert\cert.req" -Value $DataWith this request you should go to your CA

Go to Request certificate and Advance and  then to the option
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Note: if you need subject alternative names, add in attributes box as

Submit the request and save as .cer file
In your CAS server
[PS] C:\>Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\cert\certnew.cer -Encoding byte -ReadCount 0))

Thumbprint Services Subject
---------- -------- -------
633CB9DE67BD2015F649323593FC95B19B1DA95D IP.... CN=webmail.test.ca, O=Company,=CA

[PS] C:\>Enable-ExchangeCertificate -services "IIS,IMAP,SMTP"cmdlet Enable-ExchangeCertificate at command pipeline position 1
Supply values for the following parameters:
Thumbprint: 633CB9DE67BD2015F649323593FC95B19B1DA95D

Overwrite the existing default SMTP certificate?

Current certificate: 'C51882DC5CE37F08B57C63BB5F1D7BDB944410A7' (expires 4/27/2015 12:32:57 PM)
Replace it with certificate: '633CB9DE67BD2015F649323593FC95B19B1DA95D' (expires 5/3/2012 6:00:34 AM)
[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): L

[PS] C:\>Get-ExchangeCertificate
Thumbprint Services Subject
---------- -------- -------
633CB9DE67BD2015F649323593FC95B19B1DA95D IP.WS. CN=webmail.test.ca, O=Company, C=CA
5113A9E9CC355BB8C96C6F986269AFD1584F07C3 ...... C=CA, O=Company, CN=webmail.test.net
C853F48A8A9E8500C3665777A8CF79A2AF30911D ...... C=CA, O=Company, CN=webmail.test.net
C51882DC5CE37F08B57C63BB5F1D7BDB944410A7 .P..S. CN=CAS1

Set autodiscover service

[PS] C:\>Set-ClientAccessServer -Identity CAS1 -AutoDiscoverServiceInternalUri https://webmail.test.net/autodiscover/autodiscover.xml

Set OAB service:
[PS] C:\>$a=get-OABVirtualDirectory -Server CAS1[PS] C:\>Set-OABVirtualDirectory $a -InternalURL https://webmail.test.net/OAB
[[PS] C:\>Set-OABVirtualDirectory -Identity "OAB (Default Web Site)" -RequireSSL:$true
Set Web services URL
[PS] C:\>$a=get-WebServicesvirtualdirectory -Server CAS1Creating a new session for implicit remoting of "Get-WebServicesVirtualDirectory" command...
[PS] C:\>Set-WebServicesvirtualdirectory $a -InternalURL https://webmail.test.net/EWS/Exchange.asmx

Set Exchange ActiveSync URL
[PS] C:\>$a=get-ActiveSyncvirtualdirectory -Server CAS1[PS] C:\>Set-ActiveSyncvirtualdirectory $a -InternalURL https://webmail.est.net/Microsoft-Server-ActiveSync

You must configure that in all CAS servers in your environment , of course this depends of your environment.
Further information dario.may@gmail.com, I'll glad to help you


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.