Generating an SSL Certificate for Exchange 2007 from a Certificate Authority

When a new Exchange 2007 environment is set up, although the default Web site on the Exchange 2007 Client Access Server is automatically configured with a default, self-signed certificate, this certificate is not supported for Outlook Anywhere.
We get the following warning.



To solve this problem we will first install a "Certificate Authority" on our domain.
This can be done on 2008 Server by adding the "Active directory Certificate Services" role.

First We create a "certificate request" command by the wizard provided on "https://www.digicert.com/easy-csr/exchange2007.htm"



Copy your generated command and execute it Exchange Management Console (EMC).



A certificate request will be created on the file path specified in the command. (Note that in Exchange 2010, remove the path, and the cert request will be displayed on the screen. Copy it to notepad.) We can now submit the certificate request to the Microsoft certificate authority. One way to do this is to open a browser on your "DC" and type http://dc_name/certsrv. On the Welcome page, click Request a certificate.



On the Request a Certificate page, click Advanced Certificate Request

On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Open the generated certificate request file in "notepad" and copy the text.

Paste the content of the certificate request file into the "Base-64-encoded window as shown in the figure below. Then select Web Server in the certificate template drop-down menu and click Submit.



The certificate has now been issued and you can download a DER or Base 64 encoded version by clicking Download certificate or Download certificate chain. Let us select Base 64 encoded followed by clicking Download certificate chain.

It is time to import the issued certificate in Exchange 2007, using the Import-ExchangeCertificate cmdlet. We do this by typing the following command in Exchange 2007:

Import-ExchangeCertificate –Path c:\certnew.p7b

( For Exchange 2010: Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certName.p7b -Encoding byte -ReadCount 0)) )

The certificate has now been imported to the personal certificate store.

To verify the certificate looks like expected, let’s now type the following command:

Get-ExchangeCertificate -Thumbprint thumbprint | FL

Finally we need to enable the certificate for the client services, our end-users will use to connect to their mailboxes. In this setup I will enable the certificate for OWA, EAS, Outlook Anywhere, POP3 and IMAP4. To do so we need to type:

Enable-ExchangeCertificate –Thumbprint thumbprint -Services “IIS, POP, IMAP”



Also import the certificate to personal certificates through certificates console.


Note: Help has been taken from "http://www.msexchange.org/articles_tutorials/exchange-server-2007/high-availability-recovery/load-balancing-exchange-2007-client-access-servers-windows-network-technology-part3.html"