Installing a self-signed SAN SSL certificate on your Exchange Server
There are many articles on the web about installing self-signed SSL certificates, but most of them assume multiple servers in a corporate environment & a certain level of knowledge and experience from the tech. It does not take into consideration the tech supporting an SBS server who has to deal with this issue once in a blue moon, when the SSL certificate expires on the server & Outlook et all start nagging. All you want to do is fix it & get out of there.
This article was pruned from the following three in-depth articles.
How to create your own self signed SSL UCC SAN Certificate to use with Exchange 2007/2010
How to add a Subject Alternative Name to a secure LDAP certificate MS KB 931351
- Issuing a Certificate for a Pending Request
In most SBS environments the Certificate server & the Exchange server are probably one and the same.
Nevertheless I have distinguished between the two by call the Certificate server as Certserver
If there is only one SBS server , then all references to a server are to the same Server
The Exchange server probably has an internal name & is on an internal domain name such as domain.local
Additionally you may have published the OWA on a different URL which to access the server from the Internet.
I have therefore referred to the Exchange Server in the following way. Please modify appropriately.
The same domain naming convention applies to autodiscover.
There are two text files attached to this post. You will need to download them & rename them accordingly.
Sancerts.txt (373.00 bytes)
This file is a batch file & has to be run on the certificate server. It prepares the server to accept SAN requests. Presumably it has to be run only once during the lifetime of the server. Rename it to Sancerts.bat
This is your request file. rename it to Request.inf & save it on the Exchange Server.
- Run the batch file Sancerts.bat on the Certificate Server , there is a pause at the end so you can verify that it was successful. If successful , press any key to close the Command window.
- Modify Request.inf to match your domain names & server names. If the inside & outside names & domain names are the same you need not duplicate entries.
Open a command prompt on the Exchange server & navigate to the location where you saved Request.inf.
Note: the process will create files & you should have rights to create files.
At the command prompt, type the following command, and then press ENTER:
certreq -new request.inf certnew.req.
Type the following command, and then press ENTER:
certreq -submit certnew.req certnew.cer
You will get a popup asking you to select the Certificate server. It will probably be the same server
- If the above command is successful you will get a response that provides you the Request ID number to retrieve the certificate. Make a note of the number. Do not close the Window.
- On the certificate Server go to Administrative tools >>Certification Authority
- The above will bring up the CertSrv , go to Pending Requests , & issue the pending request , it should have today's date as you just requested it.
Return back to the command prompt on the Exchange Server &type the following command, and then press ENTER:
certreq -retrieve RequestID certnew.cer
ReuquestID is the number you made of note of in step 6 above
type the following command, and then press ENTER:
certreq -accept certnew.cer
At this point if all goes well you have created for & installed a new San certificate on the Exchange Server.
You now need to install this certificate on the OWA for the Exchange server ( See Image below)
- Open IIS Manager on the Exchange Server
- GO to Sites & select the site that hosts the OWA , in most instances it is the Default Website
- Click on Bindings in the Actions Menu on the right hand side.
- You should two https Types You will need to apply the certificate to both
- Highlight the first https & select edit a Window will pop up
Under SSL certificate , use the drop down menu to select the certificate you just created
Sadly I could not figure out a way to give it a friendly name so you may have duplicate entries of Internal.domain.local
Select each one & click View to view the certificate & confirm that you have selected the correct certificate
The correct certificate will have a validity date of one year from today
- Repeat 5 & 6 above for the other https
- Restart IIS & you should be done
The other SAD part is that I could not figure out how to assign the certificate for more than one year.
If anybody can figure that out please post on our Facebook page
I hate this nonsense of doing this every year