Install a UCC/SAN SSL certificate for Exchange 2010

If you found this article useful please click on my referral link before buying your godaddy certificate – www.godaddy.com

This article explains how to setup a multi-name (i.e. UCC\SAN) SSL certificate for Exchange 2010. In this example I am using a single Exchange 2010 SP1 server and getting the certificate from godaddy.com. I prefer to use godaddy for my SSL certificates as they are a) cheap, b) they allow for free rekeys and re-issues. This is very useful if you make a mistake or need to regenerate the certificate for whatever reason.

Step 1 – Generate CSR

In the Exchange Management Console select “new exchange certificate” as shown below.

This will launch the certificate wizard:

  • For the friendly name enter the internet address you use to connect to the exchange server – e.g. mail.yourcompany.com where yourcompany.com is your companies internet domain name.
  • In this example we are using a UCC\SAN certificate so do not check use wildcard certificate.
  • In this example I am just using the certificate for Outlook Web Access, ActiveSync and autodiscover. Therefore I have just ticked to enable these services.
  • For external hostname just enter the FQDN you plan to use (i.e. mail.yourcompany.com)

  • Review domain names. You should have
    • Mail.yourcompany.com (if not already I would set this as the common name)
    • Autodiscover.yourcompany.com
    • Exchange-server-name.your-internal-domain
    • Autodiscover.your-internal-domain
    • Exchange-server-name

On the next screen fill out your company information and select where you want the certificate request file to be stored. Click next

Click new and the certificate request file will be created.

 

Step 2 – Generate Certificate

  • Log on to godaddy.com (you will need to have an account) and go to the SSL section.
  • Choose a UCC certificate as shown below.

Once you have bought the certificate go to “my account” and then “SSL certificates”. You should have a credit available as shown below.

You should then get a new certificate in your list of certificates. Click on “manage certificate”

On the next screen choose “request certificate”

With notepad, open up the certificate request file you created in step 1 and paste the contents into the following screen.

Confirm all the information is correct on the following screen and click next. Note the the common name (mail.yourcompany.com) and alternate names should all be listed. Click next.

Click finish. Godaddy will now verify ownership of this domain. This may take up to 24 hours and it is likely you will need to prove ownership of the domain. Godaddy use a number of methods to prove you own the domain namely;

  • Sending an email to the contact email address of the domain’s whois record
  • Asking you to create a specific DNS record for that domain
  • Create a specific page on your website.

I won’t discuss each method any further. If you are unsure then please speak to GoDaddy.

Once you have completed domain validation you can download the certificate from godaddy. Make sure you download the certificate in the format “exchange 2010”

 

Step 3 – Install Intermediates Certificate

The file you have downloaded will contain 2 certificates. The SSL certificate for your server and an intermediates server. In this step we are installing the intermediate certificate.

  • Open an MMC and add the “certificates” snapin choosing the “local computer” option.


Select the option to import a certificate into the “certificates” folder under “intermediate certification authorities”


Browse to the gd_iis_intermediates.p7b file you have just downloaded and import it.

 

Step 4 – Complete Certificate Installation

In exchange system manager right click on the certificate and select “Complete Pending Request”

Browse to the file you have just downloaded

Select next and finish. You have installed the certificate.

Step 5 – Assign certificate to services

Now you need to assign the certificate to services. Right click on the certificate and select “Assign Services to Certificate”.

Select your server and on the next screen select the services you wish to assign the certificate to.

It will prompt you to overwrite the old certificate. Select yes.

Congratulation you have completed the certificate install.

Comments 5

Leave a Reply

Your email address will not be published. Required fields are marked *