Home
Service
Website
Contact
About
Articles


Exchange Server
Forefront Security for Exchange
HP servers
Lync Server
Microsoft SQL Server
Office 365 : Office in the cloud
Symantec Enterprise Vault
Windows Server 2008

Creating SAN certificates for Exchange 2010


In order to have a SAN certificate on a cas server we need the execute the following actions:

  • create a certificate request on the exchange CAS server
  • issue this certificate request to the Certificate authority within the domain.
  • Import the certificate that was created by the internal CA
  • Enable this certificate for use and link it to the desired services.

 
STEP 1: create a certificate request on the exchange CAS server
Run the following code in powershell:
( This code is for Exchange 2010. The code is slightly different for Exchange Server 2007 )
The subject name is the servername or - in case that a cas-array is used - the cas-array fqdn.

$data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=....., s=....., l=....., o=......., cn=mail.heerwegh.com" -DomainName "mail.heerwegh.com" -PrivateKeyExportable $True -IncludeServerFQDN -IncludeServerNetBIOSName

First we'll put the certificate request in a temp variable. After that we'll write it to a file:

set-content -path "C:\logs\latestrequest.req" -Value $data

Open up the new file and copy it's contents.

STEP 2: issue this certificate request to the Certificate authority within the domain.
Ensure that the webserver certificate on the CA has it's validity period extended to about 5 years ( this is a commonly used value ). Default the certificate is valid during 2 years. That's short so it'll be beter to extend this.
issue the certificate request to the website of the CA or elsewhere: https:///certsrv

  1. choose "generate a certificate"
  2. "using an advanced type BASE64 encoded request"
  3. paste the contents of the certificate request file ( choose the webserver template in the drop-down list )
  4. generate the certificate
  5. download the certificate as Base 64 encoded

 
STEP 3: Import the certificate that was created by the internal CAbr/> 

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -path c:\logs\certnew.cer -Encoding byte -ReadCount 0))

STEP 4: Enable this certificate for use and link it to the desired services.
Retreive the certificate that you've imported now by listing all certificates on that particular Exchange CAS server:br/> 
Get-ExchangeCertificate | fl

This command normally will return 2 or 3 certificates. Whick certificate is the one that you'll have to enable ?
Choose the certificate that has SelfSigned = $false and with the correct validity period. copy the thumprint value of that certificate and use it in the next command:br/> 

Enable-ExchangeCertificate -server ....... -Services "IMAP,POP,IIS,SMTP" -Thumbprint ............................

 
 
 
 
 br/>

BlackCurrant Consulting © 2015    Tel. +32 496 36 00 11    mail linkedin    general conditions