Install SSL Certificate: Microsoft Exchange 2007 Server
Follow these instructions to install your GeoTrust SSL certificate for Microsoft Exchange 2007 Server. Start at step 5 if you already have your SSL certificate.
 |
Unified Communications Certificate
|
Generate a Certificate Signing Request (CSR) and install SSL certificate for Microsoft Exchange 2007.
- Use the New-ExchangeCertificate cmdlet
to create the certificate signing request file. Refer to the table below
for an
explanation of the various
command options.
New-ExchangeCertificate –generaterequest –subjectname "O=My Corporation Inc, OU=Internet Sales, C=US, S=California, L=Los Angeles, CN=exchange.mydomain.com" –privatekeyexportable:1 -keysize 1024 –path c:\certrequest.txt - Open the CSR text file you created in step 1 (c:\certrequest.txt)
in a simple text editor, such as Notepad. You will need the contents
of this file during the SSL certificate purchase process. Below is
an example of
what your CSR will look like.
-----BEGIN CERTIFICATE REQUEST----- MIIB3zCCAUgCAQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMRAw DgYDVQQHEwdBdGxhbnRhMREwDwYDVQQKEwhHZW9DZXJ0czEaMBgGA1UECxMRSW5l cm5ldCBNYXJrZXRpbmcxGTAXBgNVBAMTEHd3dy5nZW9jZXJ0cy5jb20xITAfBgkq hkiG9w0BCQEWEmFkbWluQGdlb2NlcnRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA5KOi+RnRzBuBQeFYjrwZg1sfT7zr4L8j0Khuoj621x+lGBmFC76c kGclUIQBmuyp9T9NrNqAjGtEmgdFr6cWLJtgXgi+BaZDLX9BMYF49NuTggNoEUMX crQRAENHb2YthG2SEcF5p98RNcDPzWOA3a4AMvgkxDlDGYUhbcQhnt0CAwEAAaAA MA0GCSqGSIb3DQEBBAUAA4GBAIapt6Tw0BTYUwEAX0/oKvaaN/ghErR85jdW7xOD b1hL0yNfb495A7e/IQyBEP5a/v+QUOtibHS4geiPhH9etAI+DSQmctjbf6dMGJql gCXGwlsTbjPOSmNT+/X2Uvf1BlplwqAMDghEuFHsjshlypz1NEg94ri2K9N1VrBs
+iAv
-----END CERTIFICATE REQUEST----- - Purchase certificate. If you haven’t already, create a GeoCerts SSL Manager portal login account here. Login to your SSL Manager account and select the Buy Now tab. Select the Unified Communications Power Server ID SSL certificate product if you plan to use additional SAN server names.
- Submit contents of CSR. During the purchase process you will be asked to copy-and-paste the contents of the CSR file into a box. Additionally, if you're buying a Power Server ID Unified Communications Certificate certificate, you’ll be asked to type in up to three additional server names to be included in the Subject Alternative Name fields of the finished SSL certificate (these are optional).
- Your new SSL certificate will
be sent to you by email. The email message includes the web server
certificate that you purchased in the body of the email message. Copy
the certificate
from the body of the email and paste it into a simple text editor,
such as Notepad.
- Save this as c:\mydomain.cer or other location where you can find it later. The name and location of the file are not important.
- Import the SSL certificate using from the previous
step using Exchange Management Shell command Import-ExchangeCertificate.
Import-ExchangeCertificate –path c:\mydomain.cer - Determine the SSL certificate thumbprint using the
following command.
Get-ExchangeCertificate –DomainName "example.mydomain.com" - Copy the thumbprint and then use the following command
to assign the SSL certificate to your IIS web server, POP3, and IMAP4
servers. You
will need to select “QuitEdit Mode" from the properties of
the command window.
Enable-ExchangeCertificate –thumbprint <certificate-thumbprint> -services "IIS,POP,IMAP"
Your site's Common Name (CN) is the fully-qualified-domain name for your web site or mail server. You should put whatever your end-users will type to access OWA, such as mail.mydomain.com. What ever your end-user will see in their browser's address bar is what you should put in here. Do not include http:// nor https://. Refer to the CSR Input Fields table below for examples. If this is wrong, your certificate will not work properly.
Note: if you plan to purchase a Power Server ID Unified Communications Certificate, which secures up to four server names, you only include the main external FQDN when generating the CSR request. You will be asked to provide manually type in up to three additional Subject Alternative Names (SAN) server names during the order process.
When creating a CSR you must follow these conventions. Enter the information to be displayed in the certificate. The following characters cannot be accepted: < > ~ ! @ # $ % ^ / \ ( ) ? , &
| Field | Explanation | Example |
|---|---|---|
| Common Name (CN) (host name, FQDN, etc.) |
The fully qualified domain name for your web server. This must be an exact match. | If you intend to secure the URL https://www.domain.com,
then your CSR's common name must be "www.domain.com". For https://secure.domain.com it must be "secure.domain.com". For just https://domain.com it must be just "domain.com". For https://owa.mailserver.net it must be "owa.mailserver.net". A Wildcard for https://sub.primary-domain.com must be "*.primary-domain.com". The asterisk must be included for Wildcard CSR's. |
| Organization (O) | The exact legal name of your organization. Do not abbreviate your organization name. | Metro Realty LLC or Flowers by Jenny |
| Organizational Unit (OU) | Section of the organization | Sales Division or IT or Marketing |
| City or Locality (L) | The city where your organization is legally located. Cannot be abbreviated. | Boston |
| State (S) or Province | The state or province where your organization is legally located. Cannot be abbreviated. | Massachusetts |
| Country (C) | The two-letter ISO abbreviation for your country. | US, CA, GB, (must be two-letters) |
| Any email address. This field is arbitrary but must be filled in. GeoTrust will not use this email address to process your order. | user@domain.com | |
| Key Bit Length | The key bit length has to do with the initial key exchange, not the encryption strength of your certificate. | GeoTrust recommends a key bit length of at least 1024 |
bitscan™