Exchange 2010 3rd Party SSL Certificates: The Whole Story

Eventually all good things come to an end and that’s no exception to our 3rd party certificates that allow access to Outlook Web App and other web-based Exchange workloads such as Active Sync or Outlook. This article provides a step by step process on how to update your Exchange 2010 certificates from start to finish. This article also assumes we are using a DigiCert wildcard certificate. Most of this work can be pre-staged before the actual implementation and is highlighted below. With that, let’s begin!

Generate a CSR

Generating a CSR and making sure it has been well documented on multiple websites is the first step to obtaining an updated wildcard certificate for your Exchange 2010 environment. To ensure that your certificate has a private key refer to the “Using Shell to create a new Exchange Certificate” section in the TechNet article for generating your CSR appropriately.

Whether or not the private key should be exported depends on the application or the organization, and is a requirement for Exchange. The private key certificate is used so the 3rd party certificate can also be used across multiple Exchange servers. The certificate can also be used on the system or device that can authenticate external connections to ActiveSync, Outlook Web App or Outlook Anywhere. An example of this would be Threat Management Gateway (TMG), User Access Gateway (UAG) or a network based appliance. Be sure to investigate these requirements before the certificate updates on the Exchange server. This will need to be done in conjunction with the work below.

Another consideration to make are these same 3^rd party private certificates which can be used for Unified Messaging (UM) for both the Exchange Unified Messaging Service and Exchange Unified Messaging Call Router Service if you choose not to use the locally Self-signed certificates. If your organization is planning to integrate UM with Microsoft Lync then it is recommended that you use 3^rd party certificates instead of Self-signed certificates (additional details on using 3^rd party certificates instead of Self-signed certificates).

Import the Certificate to an Exchange Server

Once your 3^rd party certificate provider has generated the new certificate it must be downloaded onto the server that the CSR was generated from.  If a different Exchange server is used to import the certificate then the private key will not be exportable. 

1. Go into Certificates and choose All Tasks, Import...
    
2. Click Next

1. Browse to the location of the certificate and click next

1. Place in Personal Store and click Next

1. Click Finish

Export Private Key Certificate

Exchange is expecting that the certificate used will be the private key certificate.  The following steps will provide guidance on how to do this.

1. Open the Certificate Management MMC
2. Expand Certificates, Personal and Certificates
3. Right-click on the certificate that was just imported and choose All Tasks, Export

1. Click Next

1. Choose, “Yes, Export the Private Key” and click Next

1. Check the boxes for “Include all certificates in the certification path if possible” and the “Export all extended properties” and then click Next

1. Fill in a password and then document the password for future reference and click Next

Note: If you need to export the private key certificate again for any reason this exact password will be required.

1. Browse to a location on the file system where the private key certificate will be exported to and provide a file name similar to what is shown below. Then click Next.

1. Click Finish

Import the Private Key Certificate into the Certificate Store

**Important: This must be done on each Exchange server in your environment that requires a certificate. The same private key certificate file should be used across all of the servers**

1. Open the Certificate MMC
2. Expand Certificates, Personal, Certificates
3. Right-click on Certificates, select All Tasks and choose Import

1. Click Next

1. Browse to the private key certificate that was exported and click Next

1. Enter the password of the private key certificate. This is the same password used in the previous section.
1. Verify the “Mark this key as exportable”. This will allow you to back up or transport your keys at a later time” is checked
2. Verify the “Include all extended properties” is checked
3. Click Next

7. Place all of the certificates in the personal store and click Next

8. Click Finish

9. Verify that the certificate has been imported to Personal certificates and that the Intermediate Certificate is installed on the server. See examples on where to verify this below.

Apply the Private Key Certificate to Each Exchange Server

1. Open the Exchange Management Console
2. Select Server Configuration on the left side of your screen

Note: It may take up to 30 seconds for the Exchange certificates to load on the bottom of the screen

3. On the right side of your screen choose the server that will receive the new certificate

4. On the bottom section of the screen under Exchange Certificates right click on the certificate that was just imported
5. Choose Assign Services to Certificate…

6. Make sure the server you are expecting to update the certificate on is listed in the Select Servers section and then click Next

7. Select the check boxes for SMTP and IIS

Note: The other options such as POP and IMAP will only be required if these are configured for external access are secured via SSL. For more information on when POP or IMAP may need to be used see the following Technet Article http://technet.microsoft.com/en-us/library/jj657728(v=exchg.150).aspx

8. Click Next

9. Click Assign

10. Click “Yes to All”

11. Click Finish

12. Verify in the console that the new certificate is applied

13. Test Outlook Web App to verify that the certificate was successfully supplied

Voila! After following these steps, the certificates on your Exchange server will have been successfully completed.