Some services, such as Outlook Anywhere, Cutover migration to Office 365, and Exchange ActiveSync, require certificates to be configured on your Microsoft Exchange Server 2007 server. This article shows you how to configure an SSL certificate from a third-party certificate authority (CA).
Tasks for adding an SSL certificate
Adding an SSL certificate to Microsoft Exchange Server 2007 is a three step process.
Create a certificate request
To create a certificate request in Microsoft Exchange Server 2007, use the New-ExchangeCertificate command. To run the New-ExchangeCertificate command, the account you use must be in the Exchange Server Administrator role and local Administrators group for the target server.To create a certificate request
Open Exchange Management Shell on the local server.
On the command line, type:
>new-exchangecertificate -DomainName owa.servername.contoso.com, mail.servername.contoso.com, autodiscover.servername.contoso.com, sts.servername,contoso.com, oos.servername.contoso.com, mail12.servername.contoso.com, edge.servername.contoso.com -FriendlyName "Exchange 2007 Certificate" -GenerateRequest:$true -KeySize 2048 -Path c:\certlocation -PrivateKeyExportable $true -SubjectName "c=us, o=ContosoCorporation, cn=servername,contoso.com"
In the command example above, servername is the name of your server, contoso.com is an example of a domain name, and certlocation is a file path to the location where you want to store the request once it is generated. Replace all these placeholders with the information that appropriate for your Microsoft Exchange Server 2007.
In the DomainName parameter, add the domain names for the certificate request. For example, if you configured your internal and external URLs to be the same, the domain name for Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the intranet) should look like owa.servername.contoso.com.
Use the SubjectName parameter to specify the Subject Name on the resulting certificate. This field is used by DNS-aware services and binds a certificate to a particular domain name.
You must specify the GenerateRequest parameter as $true. Otherwise, you will create a self-signed certificate.
After you run the above command, a certificate request is saved in the file location you specified by using the Path parameter.
The New-ExchangeCertificate command also creates a Thumbprint output parameter that you use when you submit the request to a third-party certificate authority in the next step.
Submit the request to certificate authority
After you've saved the certificate request, submit the request to your CA. This can be an internal CA or a third-party CA, depending on your organization. Clients that connect to the Client Access server must trust the CA that you use. You can search the CA website for the specific steps for submitting your request.
Import the certificate
After you receive the certificate from the CA, use the Import-ExchangeCertificate command to import it.To import the certificate request
Open Exchange Management Shell on local server.
On the command line, type:
> Import-ExchangeCertificate C:\filepath
The filepath parameter above specifies the location where you saved the certificate file that was provided by the third-party CA.
When you run this command, it creates a Thumbprint output parameter that you use to enable to certificate in the next step.
To enable the certificate, you use the Enable-ExchangeCertificate command. On the command line, type:
Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services iis, smtp, pop, imap
The Thumbprint parameter specifies the one you received as output when you ran the Import-ExchangeCertificate command.
In the Services parameter, specify the services you want to assign to this certificate. At a minimum, you should specify SMTP and IIS.
If you receive the warning Overwrite the existing default SMTP certificate?, type in A (yes for all).