If you found this article useful please click on my referral link before buying your godaddy certificate – www.godaddy.com
This article explains how to setup a multi-name (i.e. UCC\SAN) SSL certificate for Exchange 2007. In this example I am using a single Exchange 2007 server and getting the certificate from godaddy.com. I prefer to use godaddy for my SSL certificates as they are a) cheap, b) they allow for free rekeys and re-issues. This is very useful if you make a mistake or need to regenerate the certificate for whatever reason.
Step 1 Buy certificate
- Go to the godaddy website www.godaddy.com
- If you do not have an account you will need to sign up.
- Go to the SSL section and purchase a UCC SSL certificate. UCC certificates allow for a number of different FQDNs to be registered against a single certificate. This is particularly useful for exchange which can use a number of different FQDNs.
Step 2 Generate CSR
I recommend using the tool on the digicert website https://www.digicert.com/easy-csr/exchange2007.htm
Fill out the details similar to above:-
- Common name The FQDN you will use on the internet to access your exchange server
- Subject Alternative Names Generally there are 4 you will want; autodiscover.yourinternetdomain.com, autodiscover.youractiveidrectorydomain, servername.youractivedirectorydomain and servername
- Click on the “generate” button and you will get the exchange powershell code needed to generate your CSR.
- Then on the exchange 2007 open the Exchange Powershell (right click and run as administrator). Then paste in the exchange powershell code
This will create a .csr file in the root of the c: drive. Open this file in notepad and copy the contents. This is your CSR code.
Step 3 Generate Certificate
Log onto your godaddy account and go to the manage SSL section. You should have a credit as shown below
- Click on “credits” and then “request certificate”
- On the next screen paste in your CSR code and make sure that all the subject Alt names are listed.
You should have a credit listed as shown below and select “request certificate”.
Click next, next and finish.
The certificate will now be listed in the pending requests folder whilst godaddy perform their background checks. This can take up to 24 hours.
Step 4 Domain Control Verification
After GoDaddy have reviewed your request you will likely receive an email from them asking you to prove that you manage that domain.
Godaddy use a number of methods to prove you own the domain namely;
- Sending an email to the contact email address of the domain’s whois record
- Asking you to create a specific DNS record for that domain
- Create a specific page on your website.
I won’t discuss each method any further. Please follow the links on the email.
Step 5 Download and install Certificate
Once you have completed domain validation you can download the certificate from the godaddy site. Note I have chosen the type “exchange 2007”
Install Intermediates Certificate:
- The file you have downloaded will contain 2 certificates. The SSL certificate for your server and an intermediates server. In this step we are installing the intermediate certificate.
- Open an MMC and add the “certificates” snapin choosing the “local computer” option.
Select the option to import a certificate into the “certificates” folder under “intermediate certification authorities”
Browse to the gd_iis_intermediates.p7b file you have just downloaded and import it.
Install Main Certificate:
Open the exchange powershell and enter the below command:
Import-ExchangeCertificate -path c:\google.p7b | Enable-ExchangeCertificate -Services IMAP, POP, UM, IIS, SMTP
(if you do not use some of these options then remove them e.g. UM)
Then enter the command:
Then enable the certificate, using the thumbprint you previously displayed
Enable-exchangecertificate services IIS, UM, SMTP thumbprintfromabove
The certificate should now be installed. You can confirm this by going to the OWA website.