May 8th, 2010 by TheKidd
There are plenty of sites that will guide you through the steps to upgrade to Exchange 2010. I was on 2003 when I upgraded last week. I followed the following articles:
That being said, I want to cover a particular setup that no one seems to have really touched on with Ex2010. That is how to run it on the ultra cheap and get away with it.
In this tutorial, I will detail the process of creating and installing a self signed SANS certificate for Exchange. We will also explore what one must do to get Exchange working properly for your users. If you are a small shop and DO NOT want to spend money on a SANS Certificate, this tutorial is for you. If you want to learn a little more about OpenSSL for Windows, this might help too.
Our steps are as follows: we are going to create a Certificate Authority which will be used to sign any and all self signed certificates. I will detail how to implement this CA into XP/Vista/7 (tut part 3) so that your server certificates will be accepted on those clients. I will also show you how to create a SANS certificate that will work properly in Exchange 2008 and IIS 7. I will do my best to completely detail this process, but, if there are issues, please let me know.
Lets get started. We are about to download OpenSSL for Windows. You need to check Add/Remove Programs, etc to see if you have Visual C++ 2008 Redistributable. If it is not installed, that is your first task…Google..or download it off of the following site: http://www.slproweb.com/products/Win32OpenSSL.html. Make sure C++ 08 (warning) is installed first and then download the version of OpenSSL that works for your system. I went for the Win64 OpenSSL 1.0 0 download since I am running server 2008 x64. Install OpenSSL to your appropriate ‘Program Files’ directory.
(warning) You need to make sure you install the distrib only if you do not have it and make sure you install the right one x86/x64. I have read numerous bad posts about installing this twice!
What follows is a culmination of knowledge from different posts from the web. None covered it, but I would like to give special props now to Reinersmann’s Blog. He got me started in a very good way on this. Props to you sir!
Once OpenSSL is installed, open a DOS prompt or explorer window to the directory you installed OpenSSL into. You should see a bunch of directories like (bin, lib, etc). Create a directory next to those folders called SSL. You need to create the following sub directories inside SSL: certs, crl, newcerts, private.
Grab the following two files off of [working on link] and save them to your SSL directory. Once done, open them up and edit anything with [brackets] around it:
DOS on Server
Grab your friendly DOS prompt and get it into that SSL directory you created. At the DOS prompt, issue: echo 100001 >serial . Then issue: echo >certindex.txt. This will create a serial number file for your certs and also create a database called certindex.txt which will hold info on what we are about to do.
Creating a Private Key
At the prompt> ..binopenssl genrsa -aes256 -out privateRootCA.key -rand private.rnd 2048
Creating a Root Certificate (CA) Off of that Private Key
At the prompt> ..binopenssl req -config openssl_root.cfg -new -x509 -days 3650 -key privateRootCA.key -out certsRootCA.cer -rand private.rnd
Note: The above will create a file called certsRootCA.cer. This is what you will sign your Exchange Certificate with. This would be your "Verisign" certificate if you will.
Creating an Empty Revocation List
At the prompt> ..binopenssl ca -config openssl_root.cfg -gencrl -crldays 3650 -keyfile privateRootCA.key -cert certsRootCA.cer -out crldomain.crl
Note: This creates the revocation list for the CA cert…This will need to be accessible in IIS. I will show you how to do that in a bit.
Open up the Exchange Management Shell (Start>All Programs>Exchange Server 2010>EMS)
Here is the key:
[blah] means replace the whole thing including the brackets
CN= should be the Fully Qualified Domain Name (FQDN) that your clients will attempt to connect to
-DomainName: should match what you configured in the openssl_server.cfg file.
Make sure you match the openssl_server.cfg and get rid of the ", [more entries?]"
Italics = fill in the blanks, Bold Italics is important.
Enter Into EMS
EMS Prompt> $Data=New-ExchangeCertificate -GenerateRequest -SubjectName "CN=[internet-intranet-accessible.domain.com] , O=[CompanyNameHere] , L
=[CityHere] , ST=[StateHere] , C=[CountryHere(2 characters as in US)] , OU=[DivisionOfCompanyPublishingCertificate] " -DomainName owa.yourFQDN.com, autodiscover.yourFQDN.com, persephone.yourFQDN.com, www.yourFQDN.com, yourFQDN.com,
exchangeServer.yourFQDN.com, exchangeServer, [more entries?] -keysize 2048 -privatekeyexportable: $true
Note: Once done, you need to write the certificate request to file. Make sure the above is 110% correct before running the below as you may find 50 billion cert requests waiting for you later.
EMS Prompt> set-content -path "c:endall.csr" -Value $Data
Note: The above creates a certificate request on the Exchange server specifying all of the details of the certificate. You need to MAKE SURE that the -DomainName part matches up with the openssl_server.cfg lines detailed above and contains all of the DNS entries that you want this certificate to cover.
Move and Edit the CSR
Now go to the path you entered into the second Exchange command, in this case, c:endall.csr. Move this to the SSL directory you are currently working out of in DOS. Once it has been moved/copied, open it with Notepad. You need to clear the empty line between the certificate "crazy letters" and the "—–END NEW CERTIFICATE REQUEST—–" line, otherwise you will get an error from OpenSSL.
Sign the Exchange Certificate Request
Back to the DOS Promp> ..binopenssl ca -config openssl_server.cfg -name ServerCA -policy policy_anything -in server.csr -out certsserver.cer
Note: This signs the Exchange Cert Request with the custom CA you created above. If the domainname stuff was entered correct in the EMS and also in the openssl_server.cfg file, you will have a beautiful new SANS self-signed cert to play with!
Import You Certificates
If everything was successful, you are ready to import the certificates into the Certificate Store on the Exchange Server. Do so by:
Start>Run: Type mmc.exe and hit <enter/ok>.
In the MMC window, go to File>Add/Remove Snap-In, select the Certificates snapin and Add it for the "Current User". I would add a second Certificates add-in for Local Computer (this may not be necessary).
Go to the Personal Store in each (currentuser/localcomputer). Right click on the Certificates subfolder under Personal Store and select All Tasks>Import. Add the certificates you have created except for the RootCA.cer.
Go to the Trusted Root Certification Authority, right click on its Certificates subfolder, All Tasks>Import and import the RootCA.cer.
Repeat these steps for the Local Computer Certificates (Personal/Trusted Root).
Great you are almost done!
Exchange Management Console
I have only tested this with Server 2008 and Exchange 2010. Mileage may vary. You need to open the Exchange Management Console (Start>All Programs> MS Exchange 2010>EMC). Once the EMC is open click on Server Configuration. Your attention should be directed to the lower middle pane. If all went well, you should have an icon on the far left of each certificate with a very pretty blue check mark on top of it. If so, you are doing great…if not, check the above directions to see if you missed something.
Assign Exchange Services
If you see the blue check mark next to your certificate (you can confirm it is your cert by double-clicking on the name of the cert), you should right click on that certificate and select Assign Services to Certificate. This will take you through a quick wizard which will allow you to select what services use the certificate (POP, IMAP, SMTP, and/or IIS). On the Select Services ‘tab’, I was able to check everything but Unified Messaging. UM should only be checked if you installed it. Other check boxes may give you errors if you have more than one Exchange server running different tasks.
You will notice in that middle bottom pane that another SSL cert is listed. If you have no need for it, you can remove it.
That should cover everything for this Tut. More to come. (2of3) will focus on IIS and Outlook and (4of4) will focus on phones. Specifically Windows Mobile 6 and Android since my business partner and I carry them.
Any corrections are welcome. So are questions. I hope my English/Grammar was not too bad for you. Thanks for reading TekCrack!