Deploying SSL Certificates on MS Exchange and EMC

Deploying SSL Certificates on MS Exchange and EMC Deploying SSL Certificates on MS Exchange and EMC... 1 1. Certificate Deployment on Exchange... 3 1.1 Exchange Server 2007... 3 1.2 Exchange Server 2010... 7 1.3 Exchange Server 2013... 11 2. Install Root Certificate on EMC Server (if required)... 22 1 P a g e

To enable SSL for email accounts, following things are required: Server Certificate: This needs to be generated using a certificate request to certificate authority for the exchange server and will be added to the exchange server. Root Certificate: The standard root certificates (VeriSign, Thawte etc.) should be present by default built in all the standard operating systems. If not, these can be downloaded from the certificate authority websites. The SSL security requires that you configure a Server side certificate on the Exchange server and Root certificate be present on the EMC (EMS) Server. This knowledge base article documents in brief the process for Certificate creation and deployment on Microsoft Exchange, the Email server with which Elite Multichannel is certified. The process mentioned is in brief and for help purpose only. We recommend consulting Microsoft site for complete and definitive documentation and process. Exchange Server 2007 http://technet.microsoft.com/en-sg/library/bb851505(v=exchg.80).aspx Exchange Server 2010 http://technet.microsoft.com/en-us/library/gg502577(v=exchg.141).aspx Exchange Server 2013 http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx 2 P a g e

1. CERTIFICATE DEPLOYMENT ON EXCHANGE The following are the steps to install certificate in Exchange Server (2007/2010/2013) and use it with EMC for secured email 1.1 EXCHANGE SERVER 2007 Click on the Start menu, go to All Programs, then Microsoft Exchange Server 2007 and click on Exchange Management Shell. 1. Generate a CSR Run the New-ExchangeCertificate command below replacing the appropriate values with your own. Example: New-ExchangeCertificate -domainname mail.google.com, google.com, google.local, autodiscover.google.com, server01.google.com, server01 - Friendlyname google.com -generaterequest:$true -keysize 2048 -path c:\certrequest.txt -privatekeyexportable:$true -subjectname "c=us, o=google Inc., cn=server01.google.com, s=california, l=mountain View, ou=it" Details of the various command line parameters are as follows: Name Explanation Examples -domainname -Friendlyname -keysize Enter all of the names that you determined you needed to secure in the step above. Any name you want to use to keep track of the certificate on this server. The size of the key that is generated. Bigger numbers are more secure but can be slower. mail.google.com autodiscover.google.com google.com google.local Server01.google.local Server01 my google certificate 1024 2048 3 P a g e

-path Common Name (cn=) Organization (o=) Organizational Unit (ou=) City/Locality (l=) State/province (s=) Country/Region (c=) Use at least 1024. The location where you want to save the CSR. Enter the first name in your list above. This is the most visible name in the certificate (the other names are listed as Subject Alternative Names and they aren't displayed as clearly) The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Do not include commas or the command won't work. The division of your organization handling the certificate. The city where your organization is located. The state/region where your organization is located. This shouldn't be abbreviated. The two-letter ISO code for the country where your organization is location. c:\certrequest.txt mail.yourdomain.com Google Inc. Information Technology Web Mountain View California US GB 4 P a g e

The screenshot below shows what the output would look like on command prompt 2. Once you have generated a CSR you can use it to order the certificate from a certificate authority. 3. Install the Certificate To install your newly acquired SSL certificate in Exchange 2007, first copy the certificate file somewhere on the server and then follow these instructions: a. Click on the Start menu, go to All Programs, then Microsoft Exchange Server 2007 and click on Exchange Management Shell. b. Run the Import-ExchangeCertificate command below replacing the appropriate values with your own. Make sure to specify the path to the certificate file you downloaded and remove any services that you will not be using. Example: Import-ExchangeCertificate -path c:\google.p7b Enable- ExchangeCertificate -Services IMAP, POP, UM, IIS, SMTP 5 P a g e

If you didn't receive any errors, then it should have installed correctly. c. Run the Get-ExchangeCertificate command to verify that the certificate is enabled for the correct services. If you aren't sure which thumprint it is, you can view the thumbprint of the certificate you just installed by double-clicking it and looking for the thumbprint on the details tab. The screenshot below shows what the output would look like on command prompt d. If the certificate isn't enabled for the correct services (S=SMTP, I=IMAP, P=POP, U=Unified Messaging, W=Web/IIS) you need to run the Enable-ExchangeCertificate command below. You can copy the thumbprint from the output of the Get-ExchangeCertificate command that you just ran. Enable-ExchangeCertificate -Services IMAP, POP, UM, IIS, SMTP - thumbprint 896B74B25F7EBF330C93E56DA2A76CFC6A7 e. After running the Enable-ExchangeCertificate command, run the Get- ExchangeCertificate command again to verify that the certificate is enabled for the correct services. 6 P a g e

1.2 EXCHANGE SERVER 2010 1. Create your CSR with the Exchange Management Console. Start the Exchange Management Console by going to Start > Programs > Microsoft Exchange 2010 > Exchange Management Console. a. Click the link to "Manage Databases." b. Select "Server Configuration" in the menu on the left, and then "New Exchange Certificate" from the actions menu on the right. c. When prompted for a friendly name, enter a name by which you will remember this certificate in the future. This name is not an integral part of your certificate request. d. Under Domain Scope, you can check the box if you will be generating the CSR for a wildcard. Otherwise, just click Next. If you do select that box for a wildcard, skip to step e. e. In the Exchange Configuration menu, select the services which you plan on running securely, and enter the names through which you connect to those services, as prompted. At the next screen, you will be able to review a list of the names which Exchange 2010 suggests you include in your certificate request. Review those names. f. Your Organization should be the full legal name of your company. Your Organization unit is your department within the organization. If you do not have a state/province, enter the city information again. g. Click "Browse" to save the CSR to your computer as a.req file, then Save, then Next, then New, and then Finish. h. You should now be able to open the CSR as a notepad or wordpad file, and you can copy the entire body of that file into any third party certificate generation online order process. i. After you receive the certificate from third party you can install it. 7 P a g e

2. Create your CSR with the Exchange Management Shell Follow the instructions below: a. Start the Management Shell by going to Start > Programs > Microsoft Exchange 2010 > Exchange Management Shell From the Exchange Management Shell command line, type the following, replacing the appropriate values with your own: New-ExchangeCertificate -GenerateRequest -KeySize 2048 - SubjectName "c=us, l=yourlocalityorcity, s=yourstateorprovince, o=yourcompanyinc, cn=yourfirstdomain.com" -DomainName YourSecondDomain.com, YourThirdDomain.com - PrivateKeyExportable:$true This command should be entered into the management shell as one line. Make sure to replace the details listed in this sample command with the details of your own organization as explained above. Notice that the first domain name is listed inside the "-SubjectName" after "cn=" and additional domain names are added after the - DomainName parameter with commas between the additional domain names. You can add as many additional domain names as necessary. b. Your CSR file will be printed to the management shell after running this command. To copy it from the management shell, you will need to right click and choose "Mark". You can now paste the entire contents of the file, including the BEGIN and END tags to any online third party certificate generation order form. If you want to create a CSR file automatically on your machine after running the CSR creation command, run the following line immediately after generating the file Set-Content -path "C:\your_CSR_name.csr" -Value $Data 8 P a g e

3. Installing the certificate with the Exchange Management Console Once you have received certificate from the third party certificate provider, foloow below steps to install the same on your Exchange Server. a. Download your certificate. Your certificate file will be named your_domain_name.cer. b. Copy the your_domain_name.cer file to your Exchange server. c. Start the Exchange Management Console by going to Start > Programs > Microsoft Exchange 2010 > Exchange Management Console. d. Click the link to "Manage Databases", and then go to "Server configuration". e. Select your certificate from the menu in the center of the screen (listed by its Friendly Name), and then click the link in the Actions menu to "Complete Pending Request". f. Browse to your certificate file, then click Open > Complete. Frequently Exchange 2010 will show an error message stating that "The source data is corrupted or not properly Base64 encoded." Ignore that error. Hit F5 to refresh the certificate and verify that it now says "False" under "Self Signed". If it still shows "True", you may have selected the wrong certificate or you may have generated the request on a different server. To fix this, you will need to create a new CSR on this Exchange server and reissue the certificate. 9 P a g e

g. Now, to enable your certificate for use, go back to the Exchange Management Console and click the link to "Assign Services to Certificate" h. Select your server from the list provided, then click Next. i. Select the services for which you would like to enable your new certificate, click Next > Assign > Finish. 4. Installing the certificate with the Command Line Interface If you prefer to install your certificate using the Exchange Powershell, you can run the following command, replacing the appropriate values with your own: Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\your_domain_name.p7b -Encoding byte -ReadCount 0)) Enable- ExchangeCertificate -Services "IIS,POP,IMAP,SMTP" 10 P a g e

1.3 EXCHANGE SERVER 2013 1. The certificate request can be generated using the Exchange Administration Center. a. Open the Exchange Administration Center in your web browser and navigate to Servers > Certificates. b. Managing certificates in the Exchange Administration Center Click the + button to start the new Exchange certificate wizard. Choose to create a new certificate request and click Next to continue. 11 P a g e

c. Start the new Exchange Certificate wizard Give the new certificate a friendly name and click Next to continue. Give the certificate a friendly name Do not choose to create a wildcard certificate. Although wildcards are supported for Exchange they are not supported for some interoperability scenarios with other server products. Click Next to continue. 12 P a g e

Click Browse and choose an Exchange server to store the certificate request (this is the server that will hold the pending certificate request while you wait for the certificate to be issued). In this example I am storing it on the server E15MB1. Click Next to continue. Select a server to place the pending certificate request Click the Edit button and enter the domain name that you will be using to connect to each service, for example mail.exchange2013demo.com for OWA. 13 P a g e

Configure the names to add to the certificate request If multiple services such as OWA, OAB, OA, EWS and ActiveSync will be using the same external name you only need to enter the name once for one of the services, and then you can click Next to continue. A consolidated list of names is presented. Note that the server s NetBIOS name (short name) will be present in this list, and other unwanted names may also appear, depending on how you completed the previous step. Remove any of the names that you do not want to be included in the SSL certificate. 14 P a g e

Remove names that certificate authorities will not issue SSL certificates for In particular, a commercial certificate authority will not issue you a certificate for a server s NetBIOS name, an IP address, or a namespace that you can t verify that you own (e.g. a.local domain), so you must remove any of those names from your certificate request before you click Next to continue. Enter your organization details and click Next to continue. For some certificate providers this information needs to match the information that is in the public WHOIS data for the domains that you are requesting a certificate for. If it does not match there may be some additional manual verification steps required before the certificate will be issued, which may slow down the process a little. 15 P a g e

Enter your organization details Enter a valid UNC path to store the certificate request file, and click Finish. 16 P a g e

Choose the location for the certificate request file to be generated The pending certificate request is now visible in the Exchange Administration Center. A pending certificate request for Exchange 2013 The certificate request file is also able to be found in the UNC path that was nominated. 17 P a g e

18 P a g e

Certificate request file If you refresh the EMC (use the circle arrow) you will now see the pending request waiting to be answered by your new certificate. To answer it you need to hit the complete button on the far right hand side. Once clicked simply enter the path to the certificate you will have received from your certificate provider. 19 P a g e

20 P a g e

The certificate will now import, we now need to decide what services the certificate will apply to. Which is SMTP, IMAP, POP and IIS. Exchange 2013 is setup to use the certificate you have applied and will use it. 21 P a g e

2. INSTALL ROOT CERTIFICATE ON EMC SERVER (IF REQUIRED) This section is optional and required only if self-signed certificates are being used. The standard root certificates (VeriSign, Thawte etc.) should be present by default built in all the standard operating systems. Open the certificates MMC console (Start > Run > mmc). Open menu path File > Add/Remove Snap-in. 22 P a g e

a. In "Add/Remove Snap-in" dialog box, click Add. b. Select "Certificates" snap-in, and click "Add". 23 P a g e

24 P a g e

c. Select "Computer account" radio button, and click "Next". d. Select "Local computer", and click Finish to open Certificates MMC console Snap-in. 25 P a g e

e. Right click Certificates folder inside "Trusted Root Certification Authorities", and select "All Tasks > Import" from the context menu. f. This action will fire "Certificate Import Wizard". Click "Next" in Welcome screen. 26 P a g e

27 P a g e

g. Select the physical location of the Root CA certificate to import. Locate the file in Open dialog box and click "Open". h. In "Certificate Store" screen, select the default selection and click "Next". 28 P a g e

i. In "Completing the Certificate Import Wizard" screen, click "Finish" to finish the import. j. "The import was successful" message will be displayed. Open the "Certificates" folder inside "Trusted Root Certification Authorities" Tree in "Certificates" MMC console. Check whether you can locate the newly imported certificate there. 29 P a g e