Exchange 2010 Training - Module 02 Lesson 03 Part 1 Installing an SSL Certificate

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to take a look at installing an SSL certificate for Exchange Server 2010 so Exchange Server 2010 uses SSL to secure the various web services that that it provides such as Outlook Web Access active sync and autodiscover now when you first install your Exchange server it will automatically configure what is known as a self-signed certificate and bind that to is so that it can secure those services by default right from the moment it's installed now if you're installing your server on a standalone server or a member server in your Active Directory what you should see is in the server configuration section of the exchange management console you should see this microsoft exchange self signed certificate it says true self signed which will probably probably be bound to all of the services I'm at pop SMTP and iOS if you have a look at it a little bit closer you'll see that it's been issued to the exchange server by the exchange service that's a self signed certificate if you drill into it a little bit more in the subject alternative names you'll see that it's been configured with two names which are the short name of the server and the fully qualified domain name so now if you're limited for resources and you've installed your Exchange server onto your domain controller that is also your certificate authority you'll end up more likely with this certificate here which has no name but isn't self signed and is bound to IMAP pop and IAS and SMTP let's take a look closer look at that one so you can see here that it was issued to the exchange server and this time it was issued by a CA itself so it's not a self signed certificate it's actually been issued by the CA and this is a situation that will only occur automatically if you're installing your exchange that would directly on the ca will have a little bit closer look at the details okay you can see that it's got the fully qualified domain name and this good as well now the issue is that neither of these certificates are really useful for us they the self signed certificate has the problem that it is not going to be trusted by any connecting clients because it's not been issued by a trusted CA and the certificate that has been issued by the trusted CA doesn't have the correct names configured on it in those subject alternate names for all the different services that were going to be running so what we're going to do is actually have provision a new exchange certificate and we can do that over here in the actions pane with the new exchange certificate wizard or of course by right-clicking on the server and choosing new exchange certificate now first of all we just need to give the certificate a friendly name so that's just a name that makes it easy for you to visually identify it when you see it in the list of other certificates so I'll just call mine exchange 2010 certificates now wildcard certificate are optional if they are supported by Microsoft for use in exchange there are some specific unsupported scenarios which are mostly around integration with other systems such as OCS and some people prefer not to use wildcard certificates for security reasons but in a single service scenario there's not really a security reason not to but the reason I don't like using wildcard certificates is because you don't really learn anything about how to properly configure a subject alternate name if you just fall back on using a wild-card so don't choose a while so I'll cut certificate at this point all right now what we get to do here is configure the various DNS names for each of the services that the client access server provides so let's have a look first at the Outlook Web App Service we get the option to enable to choose whether we'll be using Outlook Web on the internet and on the internet so I'm going to say yes to the Internet and we can see that it automatically populates this field with the fully qualified domain name of the server and also you I also want to use Outlook Web App on the internet so I'm going to tick that box as well and what you see here is it's automatically populated that field with the name that I chose during Exchange Server installation as being my external host name so as I said back during the install if you don't if you didn't want to choose an external name then that's fine view you'll just need to manually enter those details here but if you did choose during setup this is one of those examples where it saves you a little bit of time so I'm happy with OWA let's have a look at active sync as well that one's been ticked automatically and once again has been populated with that external name of mail dot exchange boot camp com that I configured during exchange set up carrying on down the list Web Services enabled that's fine outlook anywhere now what I'm going to do for Outlook anyway is get rid of the internal domain name and just have the external name available there for autodiscover what we want is an auto discover name for each of the main names that are going to be a primary SMTP address for users in the organization now because I'm going to be using I want to be able to send and receive email on the internet this exchange boot camp the local domain is not going to be suitable what I'm actually going to use is exchanger boot camp comm for my smtp addresses and that's something we'll configure in a lesson that's coming up a little bit later but for now we'll just put in Auto discover that exchange boot camp comm so that we have an auto discover name for primary SMTP namespace hub transport server has the option of using TLS to secure mail I'm going to accept that and once again put mail exchange boot camp comm I'm not going to worry about pop and IMAP at this point and the legacy exchange server name is really only required if you're going to be doing what's known as a coexistence between a previous version of exchange and Exchange Server 2010 so it's really only in migration and upgrade scenarios and it's not really applicable to us here so I'm going to leave that one blank and click Next and what you end up with is this consolidated list of domain names that you entered in the previous step so you have an opportunity now to add or remove some of those names or edit them and you can also choose which one is going to be the common name which is basically just the the first name on a subject alternate name certificate so I'm happy with mail exchange boot camp com to be my common name and also to have the auto discover name and the fully qualified domain name of the server also on that certificate so I'll go ahead and click Next and now it's time to fill out some organization information if you're going to do what I'm doing which is to issue your certificate from your internal CA your private CA this organizational information is not that important but if you are planning to purchase a certificate from a commercial provider it becomes a little bit more important that you get this correct and you should read the requirements that are listed on that certificate providers website as to what exactly needs to be how this needs to be matched up and in most cases you'll find it needs to match up fairly closely if not exactly with the Whois information for your domain name and if you don't quite get it right you may find that there's just some additional paperwork involved to prove your identity for that asset if you get that you're requesting from them so I've gone ahead and filled out that information there and a last step is to choose a location to save the certificate request file I'm just going to save it here overriding than I did previously helps delete that one I should say just use the same file name again alright happy with all that and just click new to proceed alright so exchange the music new exchange certificate wizard was successfully completed they're generating that certificate request file for me so I'll click finish to close down that wizard let's have a look at the file that it created so find it here in my C Drive in the admin folder where I told it to write the file and I'm just going to open that file try again just go open that file in notepad alright so that's what a certificate request looks like it's it's not something you can read in any way but that's the information that you're going to need to submit to your certificate authority so let's go ahead and do that next step now of requesting this to get from the certificate authority so on the exchange that I open Internet Explorer and just type in the name of the exchange server I use the full name and the virtual directory of search server assert SIV okay now if you'll like me and you get prompted for this authentication problems you might find that no matter what you enter even if you enter the correct password got in alright if you have any trouble getting in after you've entered that password I'll just show you a quick pointer go into is manager and just drill down to the set s avi folder open up medication click on windows authentication and click on providers and you may need to put ntlm at the top okay so if you're having trouble logging on to your certificate services web enrollment pages just move and fill them up to the top and I'll just restart that make sure it works there we go so if you have any trouble just check that that provider setting okay now what we want to do is request a certificate so click that link and we're going to submit an advanced certificate request and we're going to submit a certificate request using a base64 encoded file and that brings up this form here so what we want to do is take all of this text in hours to figure request copy it and paste it in here the next thing you want to do is change these to get template to web server and then finally just click Submit and if you get this prompt about the website attempting to perform a digital certificate operation on your behalf you say yes all right so now we get the opportunity to download that certificate so click the link to download the certificate and I will save that to my C Drive in the admin folder again I've got certainty that's fine okay we don't need that page anymore let's minimize it and there's a new certificate sitting there in the C Drive in the admin folder where I told it to save so back to the exchange management console what we have here is a pending steady get request so what we can do is right click that and select complete pending request and then just browse and locate that static --it that you downloaded from your certificate authority and click on complete completed and completed successfully so what you should have now is the certificate name that you chose with a self-signed of false because it was issued biased if you get authority not self signed by the exchange server itself and it should have a status of the certificate is powered for exchange server usage and at the moment you'll find that it's not bound 20 services or perhaps it's bound to IMAP and POP by default but IAS is the one that we actually want it to be configured for ok so the final step there is to right-click and assign so to our services to certificate adds in the server that were already logged on to by default so just click Next and we'll add in SMTP and IAS click Next to continue and then assign and yes we do want to over overwrite the existing default SMTP certificates say yes to that and that was completed successfully so let's test and see whether or not that's TV is actually installed correctly go back to your web browser and go to https colon slash slash your full server name and then slash OWA and click enter and what you'll see is the Outlook Web App login page so just have a look at the little padlock icon at the top of Internet Explorer and view the certificate what we can see is the certificate that was issued to mail exchange boot camp com from boot camp Co so mail dot exchange boot tech comm is the common that we chose and then drill down into the details and we can see the subject alternate names that we also configured are also there so does a valid certificate as far as the client is concerned it's come from a trusted CA and it matches the name that we're connecting to and it is still within its validity period so therefore there's no SSL errors in Internet Explorer and we connect that we can connect to Outlook Web App so now we've got an SSL certificate configured for Exchange Server you can move on to the next lesson
Info
Channel: Practical 365
Views: 25,575
Rating: undefined out of 5
Keywords: Exchange Server 2010, Training, Exchange Boot Camp
Id: 9qXf6tmMzgg
Channel Id: undefined
Length: 15min 46sec (946 seconds)
Published: Sat Jul 21 2012
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.