Introduction to Digital Certificates (Verisign Australia)
Introduction to Digital Certificates (Comodo)
Certificates exist in several forms and can come from many sources.
I'll organize the process in 4 steps:
Step 1 : Create a certificate request at the Exchange server.
Step 2 : Submit the content of the resulting file to the Certification Authority
Step 3 : Download the certificate
Step 4 : Import and Enable the certificate for Exchange services.
Create a certificate request at the Exchange server.
New-ExchangeCertificate -GenerateRequest:$True -subjectName "c=us, s=MyState, l=MyCity, o=My Name, CN=mail.mitserv.net" -DomainName mail.mitserv.net, autodiscover.mitserv.net -Keysize 2048 -privatekeyExportable:$true -path "C:\Scripts\mitserv.csr"
Let's dissect this rather long command...
- New-ExchangeCertificate: this is the cmdlet itself. Without the parameters and values that follow, however, it would not produce any results.
- GenerateRequest: the value of this parameter must be set to "true" for the creation of an actual request.
- subjectName: here, we must enter, from left to right, the code of our country, our state (or province), our location (we can name our city), our organization (or name, if we are an individual) and the name of our domain. I use the name of a fictitious organization that I use for tests, just as Microsoft has a number of fictitious organization names such as Constoso and Trey Research. Note: instead of "mitserv.net", I used the name that would be used most often - "mail.mitserv.net" -, which was recommended at one point, for some reason, by someone, from the certificate authority. In any case, if you want to use a name with any Exchange service (POP, IMAP, IIS, SMTP), and if that service may need to be validated, the name should be on the certificate.
- DomainName: one of the roles of the certificate is to validate our website (or webmail, Outlook Web Access in the case of Exchange). Therefore, the domain name of our website must be indicated on the certificate. With Exchange, we may have several other names, such as those indicated above, for webmail, for autodiscover and perhaps the name of the mail server itself (or themselves if we have several). What names should be on the certificate? This is a subject in itself, but the most common recommendation is to add the name used for webmail and the name used for autodiscover.
- Keysize: validation is one role of the certificate and encryption is another (even though the certificate does not encrypt anything by itself). The size (or length) of the encryption keys is one element that determines the strength of the encryption. At this time (2014), the minimum recommended key size is 2048 bits.
- privatekeyExportable: if we ever want to export the private key, and then import it on a second mail server or a security appliance like ISA or TMG, we should set the value of this parameter to "true".
- path: this is simply where we want to create the certificate request file and where we can find it when we want to upload it to the website of the certificate authority for ordering.
Submit the content of the request file to the Certificate Authority
Note: some CAs apparently allow the requestor to uphold the entire file, no copy and paste required.
Import and Enable the certificate(s) for Exchange services.
1. Open the console, go to "Intermediate Certification Authority", right-click on this folder, select "All Tasks, "Import".
3. Browse to the location of the downloaded files.
As shown below, it will be necessary to change the file extension type to "PKCS #7" so the intermediate certificate, with a .p7b extension, is visible:
4. We should have something like this:
5. Make sure the certificate is imported into the "Intermediate Certification Authority" folder.
6. We click on "Next" or "Finish". If all goes well, we should see this:
7. The certificate should now be visible in the certificate store, perhaps above a previous certificate.
Note: I asked the vendor if previous (expired) certificates should be removed. The technical support representative stated that this was not necessary.
At this point, we can import the certificate requested for our organization with the EMS. It's just as matter of entering the cmdlets (with various parameters and values) as shown below.
1. Open the EMS and browse to the location of the certificate. Import the certificate with this cmdlet:
[PS] C:\>Import-ExchangeCertificate -path C:\mitserv.net-2014\2b515b90\2b515b90.crt
Thumbprint Services Subject
---------- -------- -------
EC523--ABC9 ..... CN=mail.mitserv.net, OU=Domain Control Validated
Note: of course, your serial number and thumbprint (abbreviated here) will be different.
2. Enable the certificate (you can copy and paste the thumbprint from above):
C:\>Enable-ExchangeCertificate -Thumbprint EC523--ABC -Services "IMAP, IIS, POP, SMTP"
Note: after the "services" parameter, we must enter the services that will be used: POP, IMAP, IIS, SMTP and UC are the options.
We will be asked if we want to overwrite the previous certificate (if we have one):
Overwrite existing default SMTP certificate '605033---D774B' (expires 12/13/2013 8:24:04 PM)
with certificate 'EC523F----------ABC9BDC' (expires 3/8/2015 10:32:06 PM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
I enter "A"... and press enter.