There are plenty of sites that will guide you through the steps to upgrade to Exchange 2010. I was on 2003 when I upgraded last week. I followed the following articles:

That being said, I want to cover a particular setup that no one seems to have really touched on with Ex2010. That is how to run it on the ultra cheap and get away with it.

In this tutorial, I will detail the process of creating and installing a self signed SANS certificate for Exchange. We will also explore what one must do to get Exchange working properly for your users. If you are a small shop and DO NOT want to spend money on a SANS Certificate, this tutorial is for you. If you want to learn a little more about OpenSSL for Windows, this might help too.

Our steps are as follows: we are going to create a Certificate Authority which will be used to sign any and all self signed certificates. I will detail how to implement this CA into XP/Vista/7 (tut part 3) so that your server certificates will be accepted on those clients. I will also show you how to create a SANS certificate that will work properly in Exchange 2008 and IIS 7. I will do my best to completely detail this process, but, if there are issues, please let me know.

Lets get started. We are about to download OpenSSL for Windows. You need to check Add/Remove Programs, etc to see if you have Visual C++ 2008 Redistributable. If it is not installed, that is your first task…Google..or download it off of the following site: http://www.slproweb.com/products/Win32OpenSSL.html. Make sure C++ 08 (warning) is installed first and then download the version of OpenSSL that works for your system. I went for the Win64 OpenSSL 1.0 0 download since I am running server 2008 x64. Install OpenSSL to your appropriate ‘Program Files’ directory.

(warning)
You need to make sure you install the distrib only if you do not have it and make sure you install the right one x86/x64. I have read numerous bad posts about installing this twice!

What follows is a culmination of knowledge from different posts from the web. None covered it, but I would like to give special props now to Reinersmann’s Blog. He got me started in a very good way on this. Props to you sir!

Once OpenSSL is installed, open a DOS prompt or explorer window to the directory you installed OpenSSL into. You should see a bunch of directories like (bin, lib, etc). Create a directory next to those folders called SSL. You need to create the following sub directories inside SSL: certs, crl, newcerts, private.

Grab the following two files off of [working on link] and save them to your SSL directory. Once done, open them up and edit anything with [brackets] around it:

DOS on Server
Grab your friendly DOS prompt and get it into that SSL directory you created. At the DOS prompt, issue: echo 100001 >serial . Then issue: echo >certindex.txt. This will create a serial number file for your certs and also create a database called certindex.txt which will hold info on what we are about to do.

Creating a Private Key

At the prompt> ..binopenssl genrsa -aes256 -out privateRootCA.key -rand private.rnd 2048

Creating a Root Certificate (CA) Off of that Private Key
At the prompt> ..binopenssl req -config openssl_root.cfg -new -x509 -days 3650 -key privateRootCA.key -out certsRootCA.cer -rand private.rnd

Note: The above will create a file called certsRootCA.cer. This is what you will sign your Exchange Certificate with. This would be your "Verisign" certificate if you will.

Creating an Empty Revocation List
At the prompt> ..binopenssl ca -config openssl_root.cfg -gencrl -crldays 3650 -keyfile privateRootCA.key -cert certsRootCA.cer -out crldomain.crl

Note: This creates the revocation list for the CA cert…This will need to be accessible in IIS. I will show you how to do that in a bit.

Exchange
Open up the Exchange Management Shell (Start>All Programs>Exchange Server 2010>EMS)
Here is the key:
[blah] means replace the whole thing including the brackets
CN= should be the Fully Qualified Domain Name (FQDN) that your clients will attempt to connect to
-DomainName: should match what you configured in the openssl_server.cfg file.
Make sure you match the openssl_server.cfg and get rid of the ", [more entries?]"
Italics = fill in the blanks, Bold Italics is important.

Enter Into EMS
EMS Prompt> $Data=New-ExchangeCertificate -GenerateRequest -SubjectName "CN=[internet-intranet-accessible.domain.com] , O=[CompanyNameHere] , L
=[CityHere] , ST=[StateHere] , C=[CountryHere(2 characters as in US)] , OU=[DivisionOfCompanyPublishingCertificate] " -DomainName owa.yourFQDN.com, autodiscover.yourFQDN.com, persephone.yourFQDN.com, www.yourFQDN.com, yourFQDN.com,
exchangeServer.yourFQDN.com, exchangeServer, [more entries?]
-keysize 2048 -privatekeyexportable: $true

Note: Once done, you need to write the certificate request to file. Make sure the above is 110% correct before running the below as you may find 50 billion cert requests waiting for you later.

EMS Prompt>
set-content -path "c:endall.csr" -Value $Data

Note: The above creates a certificate request on the Exchange server specifying all of the details of the certificate. You need to MAKE SURE that the -DomainName part matches up with the openssl_server.cfg lines detailed above and contains all of the DNS entries that you want this certificate to cover.

Move and Edit the CSR
Now go to the path you entered into the second Exchange command, in this case, c:endall.csr. Move this to the SSL directory you are currently working out of in DOS. Once it has been moved/copied, open it with Notepad. You need to clear the empty line between the certificate "crazy letters" and the "—–END NEW CERTIFICATE REQUEST—–" line, otherwise you will get an error from OpenSSL.

Sign the Exchange Certificate Request
Back to the DOS Promp> ..binopenssl ca -config openssl_server.cfg -name ServerCA -policy policy_anything -in server.csr -out certsserver.cer

Note: This signs the Exchange Cert Request with the custom CA you created above. If the domainname stuff was entered correct in the EMS and also in the openssl_server.cfg file, you will have a beautiful new SANS self-signed cert to play with!

Import You Certificates

If everything was successful, you are ready to import the certificates into the Certificate Store on the Exchange Server. Do so by:
Start>Run: Type mmc.exe and hit <enter/ok>.
In the MMC window, go to File>Add/Remove Snap-In, select the Certificates snapin and Add it for the "Current User". I would add a second Certificates add-in for Local Computer (this may not be necessary).
Go to the Personal Store in each (currentuser/localcomputer). Right click on the Certificates subfolder under Personal Store and select All Tasks>Import. Add the certificates you have created except for the RootCA.cer.
Go to the Trusted Root Certification Authority, right click on its Certificates subfolder, All Tasks>Import and import the RootCA.cer.
Repeat these steps for the Local Computer Certificates (Personal/Trusted Root).

Great you are almost done!

Exchange Management Console
I have only tested this with Server 2008 and Exchange 2010. Mileage may vary. You need to open the Exchange Management Console (Start>All Programs> MS Exchange 2010>EMC). Once the EMC is open click on Server Configuration. Your attention should be directed to the lower middle pane. If all went well, you should have an icon on the far left of each certificate with a very pretty blue check mark on top of it. If so, you are doing great…if not, check the above directions to see if you missed something.

Assign Exchange Services

If you see the blue check mark next to your certificate (you can confirm it is your cert by double-clicking on the name of the cert), you should right click on that certificate and select Assign Services to Certificate. This will take you through a quick wizard which will allow you to select what services use the certificate (POP, IMAP, SMTP, and/or IIS). On the Select Services ‘tab’, I was able to check everything but Unified Messaging. UM should only be checked if you installed it. Other check boxes may give you errors if you have more than one Exchange server running different tasks.

AutoGen Certificate
You will notice in that middle bottom pane that another SSL cert is listed. If you have no need for it, you can remove it.

That should cover everything for this Tut. More to come. (2of3) will focus on IIS and Outlook and (4of4) will focus on phones. Specifically Windows Mobile 6 and Android since my business partner and I carry them.

Any corrections are welcome. So are questions. I hope my English/Grammar was not too bad for you. Thanks for reading TekCrack!

del.icio.us:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) digg:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) spurl:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) wists:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) simpy:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) newsvine:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) blinklist:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) furl:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) reddit:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) fark:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) blogmarks:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) Y!:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) smarking:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) magnolia:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3) segnalo:Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3)

11 Responses to “Creating Your Own Self Signed SANS Certificate for Exchange 2010 and IIS 7.0 (1of3)”

  1. on 06 Jun 2010 at 6:11 am cdrin

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>cd\

    C:\>cd openssl-win64

    C:\OpenSSL-Win64>dir
    Volume in drive C has no label.
    Volume Serial Number is 5076-22F3

    Directory of C:\OpenSSL-Win64

    06/06/2010 12:42 PM .
    06/06/2010 12:42 PM ..
    06/06/2010 12:29 PM bin
    06/01/2010 06:31 AM 407,933 changes.txt
    06/01/2010 06:31 AM 43,836 faq.txt
    06/05/2010 05:49 PM 1,565,184 libeay32.dll
    06/05/2010 05:49 PM 307,200 libssl32.dll
    05/27/2008 11:41 AM 6,279 license.txt
    06/01/2010 06:17 AM 23,910 news.txt
    05/10/2004 04:22 PM 30,423 OpenSSLhelp.chm
    06/01/2010 06:31 AM 9,129 readme.txt
    06/06/2010 12:48 PM SSL
    06/05/2010 05:49 PM 307,200 ssleay32.dll
    06/06/2010 12:29 PM 11,778 unins000.dat
    06/06/2010 12:29 PM 721,694 unins000.exe
    11 File(s) 3,434,566 bytes
    4 Dir(s) 39,649,738,752 bytes free

    C:\OpenSSL-Win64>cd SSL

    C:\OpenSSL-Win64\SSL>echo 100001 >serial

    C:\OpenSSL-Win64\SSL>echo>certindex.txt

    C:\OpenSSL-Win64\SSL>dir
    Volume in drive C has no label.
    Volume Serial Number is 5076-22F3

    Directory of C:\OpenSSL-Win64\SSL

    06/06/2010 12:49 PM .
    06/06/2010 12:49 PM ..
    06/06/2010 12:49 PM 13 certindex.txt
    06/06/2010 12:43 PM certs
    06/06/2010 12:43 PM crl
    06/06/2010 12:43 PM newcerts
    06/06/2010 08:51 AM 2,901 openssl_root.cfg
    06/06/2010 08:50 AM 3,069 openssl_server.cfg
    06/06/2010 12:42 PM private
    06/06/2010 12:49 PM 9 serial
    4 File(s) 5,992 bytes
    6 Dir(s) 39,649,734,656 bytes free

    C:\OpenSSL-Win64\SSL>..\bin\openssl genrsa -aes256 -out private\RootCA.key -rand
    private\.rnd 2048
    Loading ‘screen’ into random state – done
    0 semi-random bytes loaded
    Generating RSA private key, 2048 bit long modulus
    ……………………………………..+++
    ……………………………….+++
    e is 65537 (0x10001)
    Enter pass phrase for private\RootCA.key:
    Verifying – Enter pass phrase for private\RootCA.key:

    C:\OpenSSL-Win64\SSL>..\bin\openssl req -config openssl_root.cfg -new -x509 -day
    s 3650 -key private\RootCA.key -out certs\RootCA.cer -rand private\.rnd
    Enter pass phrase for private\RootCA.key:
    Loading ‘screen’ into random state – done
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Land (2stelliger Code) [XX]:NL
    Bundesland [XX]:NL
    Stadt [XX]:AM
    Firma [XX]:NL
    Abteilung [XX]:NL
    Common Name []: removed
    EMail Adresse []: removed
    ===============================================
    C:\OpenSSL-Win64\SSL> ..\bin\openssl ca -config openssl_root.cfg -gencrl -crlday
    s 3650 -keyfile private\RootCA.key -cert certs\RootCA.cer -out crl\domain.crl
    Using configuration from openssl_root.cfg
    Loading ‘screen’ into random state – done
    Enter pass phrase for private\RootCA.key:
    \\Server\Project\SSL\RootCA\index.txt: No such file or directory
    unable to open ‘\\Server\Project\SSL\RootCA\index.txt’
    4188:error:02001043:system library:fopen:Unknown error:.\crypto\bio\bss_file.c:3
    92:fopen(‘\\Server\Project\SSL\RootCA\index.txt’,’rb’)
    4188:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:39
    4:
    ===================================================
    C:\OpenSSL-Win64\SSL>

    Hello I can’t fix the error between de ====== lines.
    Maybe u can give me I clue

  2. on 08 Jun 2010 at 12:09 pm Chuckster

    Hello, I read your comments on the ms page and came here to see what you had to offer. I would like to say thank you for this walk through. At least now when I get the error I have some knowledge of why I am getting it. Thanks again for your post. I do not have excahnge and I am using 2008 as a file server and I stil get the error. I wam going to try to do the self cert to see if that solves the problem in the event logs. Thansk again.

  3. on 02 Jul 2010 at 2:05 pm TheKidd

    No problem. If you have any issues, feel free to ask.

  4. on 02 Jul 2010 at 2:06 pm TheKidd

    This is just a quick guess…but it looks like you are getting the error because the ‘\\Server\Project\SSL\RootCA\index.txt’ is either missing or you don’t have permissions to access it. If it is missing, you may just want to open notepad and save a blank text file in that exact location. I could be wrong, but I believe that index.txt file is needed to keep of serial of each generated cert.

  5. [...] My current self signed CA Root and normal cert were setup between Exchange 2010/IIS 7.0 and OpenSSL. The clients will be remote so I do not want to use Microsoft’s Certificate Authority. You can see how I developed the certs at http://www.tekcrack.com/creating-your-own-self-signed-sans-certificate-for-exchange-2010-and-iis-70-… [...]

  6. on 05 Sep 2010 at 2:44 pm garbage

    This is garbage. Missing links. Broken links and missing steps. Generate a CRL but you do nothing with it.

  7. on 02 Oct 2010 at 1:05 pm TheKidd

    They worked when I posted. Am sorry the links were broken. I will investigate.

  8. on 02 Oct 2010 at 1:14 pm TheKidd

    Links on the article have been fixed. Not sure why they lost the actual URL and were replaced by some random Javascript crap…but again, my apologize.

  9. on 23 Nov 2010 at 5:01 pm dave

    Hey, I’m trying to create the recovation list and get a “Wrong number of fields on line 1 (looking for field 6, got 1, ” left)” error. Whats that mean?

  10. on 19 Apr 2011 at 1:57 pm ke3ju

    “Grab the following two files off of [working on link] and save them to your SSL directory.”

    What is “[working on link]“?

  11. on 27 May 2011 at 3:08 am Rene WIeldraaijer

    Just use selfssl7. Much easier and does the job just as well for this purpose.

    http://geekswithblogs.net/renewieldraaijer/archive/2011/05/11/self-signed-san-certificates.aspx

Trackback URI | Comments RSS

Leave a Reply

CommentLuv badge
TekCrack uses CommentLuv Premium, which allows you to use your real name and then @Your Keywords (max of 3 keywords). You will need 3 previously approved comments for this to work. Click on the link above to get your own CL Premium Plugin - the best way to build back links and visitors to your website.

Stop Censorship