Install a GoDaddy UCC certificate on Exchange 2007

If you found this article useful please click on my referral link before buying your godaddy certificate – www.godaddy.com

This article explains how to setup a multi-name (i.e. UCC\SAN) SSL certificate for Exchange 2007. In this example I am using a single Exchange 2007 server and getting the certificate from godaddy.com. I prefer to use godaddy for my SSL certificates as they are a) cheap, b) they allow for free rekeys and re-issues. This is very useful if you make a mistake or need to regenerate the certificate for whatever reason.

Step 1 – Buy certificate

  • Go to the godaddy website www.godaddy.com
  • If you do not have an account you will need to sign up.
  • Go to the SSL section and purchase a UCC SSL certificate. UCC certificates allow for a number of different FQDNs to be registered against a single certificate. This is particularly useful for exchange which can use a number of different FQDNs.

Step 2 – Generate CSR

I recommend using the tool on the digicert website https://www.digicert.com/easy-csr/exchange2007.htm

  • Fill out the details similar to above:-
    • Common name – The FQDN you will use on the internet to access your exchange server
    • Subject Alternative Names – Generally there are 4 you will want; autodiscover.yourinternetdomain.com, autodiscover.youractiveidrectorydomain, servername.youractivedirectorydomain and servername
  • Click on the “generate” button and you will get the exchange powershell code needed to generate your CSR.
  • Then on the exchange 2007 open the Exchange Powershell (right click and run as administrator). Then paste in the exchange powershell code

This will create a .csr file in the root of the c: drive. Open this file in notepad and copy the contents. This is your CSR code.

Step 3 – Generate Certificate

Log onto your godaddy account and go to the manage SSL section. You should have a credit as shown below

 

 

 

 

 

 

  • Click on “credits” and then “request certificate”
  • On the next screen paste in your CSR code and make sure that all the subject Alt names are listed.

 

 

 

You should have a credit listed as shown below and select “request certificate”.

]

 

 

Click next, next and finish.

The certificate will now be listed in the pending requests folder whilst godaddy perform their background checks. This can take up to 24 hours.

Step 4 – Domain Control Verification

After GoDaddy have reviewed your request you will likely receive an email from them asking you to prove that you manage that domain.

Godaddy use a number of methods to prove you own the domain namely;

  • Sending an email to the contact email address of the domain’s whois record
  • Asking you to create a specific DNS record for that domain
  • Create a specific page on your website.

I won’t discuss each method any further. Please follow the links on the email.

Step 5 – Download and install Certificate

Once you have completed domain validation you can download the certificate from the godaddy site. Note I have chosen the type “exchange 2007”

Install Intermediates Certificate:

  • The file you have downloaded will contain 2 certificates. The SSL certificate for your server and an intermediates server. In this step we are installing the intermediate certificate.
  • Open an MMC and add the “certificates” snapin choosing the “local computer” option.


Select the option to import a certificate into the “certificates” folder under “intermediate certification authorities”


Browse to the gd_iis_intermediates.p7b file you have just downloaded and import it.

Install Main Certificate:

Open the exchange powershell and enter the below command:

Import-ExchangeCertificate -path c:\google.p7b | Enable-ExchangeCertificate -Services IMAP, POP, UM, IIS, SMTP

(if you do not use some of these options then remove them – e.g. UM)

Then enter the command:

Get-Exchangecertificate

Then enable the certificate, using the thumbprint you previously displayed

Enable-exchangecertificate –services IIS, UM, SMTP –thumbprintfromabove

The certificate should now be installed. You can confirm this by going to the OWA website.

Leave a Reply

Your email address will not be published. Required fields are marked *