Importing and enabling an SSL certificate for Microsoft Exchange has evolved from earlier versions of Microsoft Exchange. Previously you would have to use IIS MMC console to initiate the certificate request. If your mail server is a hosted exchange solution then you this article will not be necessary as this is taken care of on the hosting end. In this article I will provided 3 easy to follow steps to complete this task:
Request the Exchange 2007 certificate
Requesting the certificate requires a lengthily powershell command, one incorrect character or typo may prompt an irritating error. The best way to do this is to use this Exchange Certificate Request Generating tool found at digicert.com/easy-csr/exchange2007.htm.
Here is an example of the command you should receive:
New-ExchangeCertificate -GenerateRequest -Path c:mail_mybusinessdomain_com.csr -KeySize 2048 -SubjectName “c=GB, s=london, l=london, o=my business, cn=mail.mybusinessdomain.com” -DomainName autodiscover.mybusinessdomain.com, mybusinessdomain.com -PrivateKeyExportable $True.
In the example shown above the common name (CN) will be mail.mybusinessdomain.com. autodiscover.mybusinessdomain.com and mybusinessdomain.comwill be alternative subject names also valid under the certificate once issued. We use multi-named certificates to meet the autodiscover best practices for Exchange 2007, but this however is another article on its own.
Now what you need to do is copy the shell command that the exchange certificate request generator generated then paste it into a powershell command prompt on your Exchange server (if you are using Server 2008 remember to run right click > Run as administrator). Once this is complete you can locate the file in the root of your C: drive (in our example the file name will be c:mail_mybusinessdomain_com.csr).
Open this file (c:mail_mybusinessdomain_com.csr) in notepad and copy the whole content of the encrypted text including the -start- and -finish- lines.
Now go ahead and login to your control panel through the certificate authority you purchased SSL certificate from (e.g. godaddy, Verisign etc) and paste that encrypted text as advised above when instructed by your CA.
Import the Exchange 2007 Certificate
Once the certificate has been issued by your CA download the “certificate.cer” to the root of your C: drive on the Exchange server.
Open a Powershell prompt on your Exchange server and type the following command:
Import-ExchangeCertificate -Path “c:certificate.cer”
Be sure to copy the thumbprint of the certificate as you will need it in the next step.
Once imported we need to enable the use of the certificate. Next type:
Enable-ExchangeCertificate -Thumbprint [thumbprint] -Services “SMTP, IIS” (Do not use [ ] brackets in the thumbprint)
In this case the new certificate would be enabled for OWA, autodiscover and SMTP security which in most cases is sufficient. You can use the following service identifiers also if you wish to secure other services such as POP or IMAP:
SMTP, POP, IMAP, UM, and IIS. (Use the same command above and use a comma to separate them).
That’s it all done. Now to test visit the Common name you used to register your certificate (using the HTTPS://) to make sure that its working as it should. If you do however use a hosted exchange 2007 solution you may have to create a CNAME record in your DNS. This information can be found from your hosted exchange provider.