Skip to main content

Creating Certificate with multiple Subject Alternative Name (SAN) for Exchange 2010 and ISA 2006 using local certificate authority (CA)

I'm deploying Exchange 2010 for 6000 users/mailboxes and migrating them from Exchange 2003. I've found that creating and managing the certificate is quite complicated or rather confuse. Decided to blog it so I could refer and hopefully help others!

I'm generating new cert with multiple Subject Alternative Name (SAN) to be used in the following design:-

ISA01 -> ExchCAS00 (VIP for ExchCAS01 and ExchCAS02) -> Mailbox servers

Publish DNS 
1. webmail.companyA.com (existing Exchange 2003 to be migrated)
2. webmail2.companyA.com (current pilot user)
3. autodiscover.companyA.com
4. ExchCAS00.company.com
5. ExchCAS01.company.com
6. ExchCAS02.company.com
7. legacy.companyA.com (For Exchange co-existence on OWA)

I'm adding internal CAS HUB into the cert because some internal software somehow uses the local hostname. Otherwise, you should not need to do so.

Creating Certificate with multiple Subject Alternative Name (SAN) for Exchange 2010 and ISA 2006 using local certificate authority (CA)

1.     You need to issue new-ExchangeCertificate on Exchange 2010 to request Certificate
a.     Example: - New-ExchangeCertificate -DomainName wemail2.companyA.com, webmail.companyA.com, internalhostname.companyA.com, internalhostnameA.companyA.com, autodiscover.companyA.com -FriendlyName Exchange2010Cert -GenerateRequest:$True -Keysize 1024 -path c:\temp\Exchange2010Cert-<<date>>.req -privatekeyExportable:$true -subjectName "CN=webmail2.companyA.com"
2.     Once you have get the .req file, you need to copy the content and paste to CA while generating the request
3.     Access to the local CA – http://localCA/certsrv. There are few steps to be done to extract the .cer file.
a.     Request a new cert, and choose the advance option
b.     Choose “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.” And continue
c.      Paste the content in .req and Submit
d.     Open MMC console and add Certificate Authority to be managed
e.     Look for the certificate generated (in the pending folder) and Issue it.
f.      Go back to the http://localCA/certsrv and download the certificate from View the status of a pending certificate request. Look for the certificate you have issued. Download and save the file to Exchange 2010 (where you generate the .req file).
4.     Connect to the Exchange 2010 (where you generate the .req file). There are 2 methods to complete the task. I choose the GUI mode. The command line is as http://technet.microsoft.com/en-us/library/bb124424.aspx.
5.     


6.     Click the Complete Certificate Request using the .cer file copy from the CA.
7.     You will need to ask the server to use the imported cert. There are 2 methods, and I choose the GUI mode. The command line is as http://technet.microsoft.com/en-us/library/bb124424.aspx.
8.     Goto to Default Web Site>> Binding>> and choose the right cert imported and you are done.
9.     If you want to use the same cert for SMTP and POP, you may use command as shown here - http://www.isaserver.org/tutorials/Generating-SSL-Certificates-Exchange-2007-ISA-Server-2006.html

Exporting certificate to other Frontend/CAS server or ISA
1.     Once you have successfully configured Exchange 2010 FE for IIS, you will need to export the cert for other Exchange FE (or CAS) and ISA (if you are using reverse proxy)
2.     To do so, open MMC and add the local computer certificate. Look for the certificate imported and export to a pfx. If you can’t export, you probably have created a cert that doesn’t allow you to export. You can refer to step 1 while generating the .req file.
3.     Save the file and copy to the destination server.
4.     For Exchange 2010 CAS/FE server, you can import this using IIS console.
5.     For ESA, You can import this using MMC console.
6.     Once done, you will need to change Exchange 2010 and ISA to use the new Cert. All servers (ISA -> CAS1/CAS2/…) must use the same cert or else your communication might be broken.




      Comments

      Post a Comment

      Popular posts from this blog

      VMware VRNI 3.5 NTP is working but not healthy

      We have experienced this problem where some of the major services not started. You will not be able to connect to the vRNI via web -> https://<ip_address_of_vrni_platform>>. This probably caused by NTP insync. You need to manually start these services. Login with Consoleuser / and default password if not changed before via venter web console. Run services restart and wait for couple minutes (it took me 5-6 mins). Types of Users  User name  Password  Admin UI  admin@local Set this password in the Activate License window during installation. SSH User  support ark1nc0113ct0r CLI User  consoleuser ark1nc0ns0l3 Note It is recommended that the users change the default passwords immediately after the deployment.  Procedure 1 Navigate to  https://<vRealize Network Insight Platform IP address> .  2 Log in to the product UI with the corresponding user name and password. Troubleshoot NTP - https://kb.vmware.com
      Post a Comment
      Read more

      vSphere Replication - checking the replication status

      Enable SSH on ESXi host (you can do this using vCenter) Download putty or any SSH client and log in with root access vim-cmd vmsvc/getallvms ~ # vim-cmd hbrsvc Commands available under hbrsvc/: vmreplica.abort vmreplica.pause vmreplica.create vmreplica.queryReplicationState vmreplica.disable vmreplica.reconfig vmreplica.diskDisable vmreplica.resume vmreplica.diskEnable vmreplica.startOfflineInstance vmreplica.enable vmreplica.stopOfflineInstance vmreplica.getConfig vmreplica.sync vmreplica.getState  See more at: http://www.virtuallyghetto.com/2011/07/hbr-host-based-replication-cli-for-srm.html#sthash.mpqbyGmw.dpuf http://www.virtuallyghetto.com/2011/07/hbr-host-based-replication-cli-for-srm.html
      Post a Comment
      Read more

      Editing hosts file in iPhone/iPAD

      You can now edit the hosts file with a jailbroken iPhone/iPad. Download the hosts file using tool like FileZilla. Default location is /etc/hosts. Download Notepad++ and edit the file. I've edit the file and convert it to ANSI under the Encoding menu. Once completed, upload the file back to the default location.  Try to ping the DNS... It should works!
      Post a Comment
      Read more