Replace Common Name (CN) and SAN Certificates with Wild Card Certificate— Step by Step

If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.

Microsoft accept certified SSL provider which are recorded in this url

Here is a guide lines how to accomplish this objective.

Step1: Check Current Exchange SSL Certificate

Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.

Step2: Record Proposed Exchange SSL Wildcard Certificate

  • Common Name: *
  • SAN: N/A
  • Organisation: Your Company
  • Department: ICT
  • City: Perth
  • State: WA
  • Country: Australia
  • Key Size: 2048

Step3: Generate a wildcard certificate request

You can use to generate a certificate command for exchange server.

New-ExchangeCertificate -GenerateRequest -Path c:star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*” -PrivateKeyExportable $True

Step4: Sign the certificate request and download SSL certificate in PKCS#7 format

For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference

1. Click

2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.

3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.

4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or  X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.

5. Save the certificate locally and install per the server software. 

Step5: Locate and Disable the Existing CA certificate

Now this step is a disruptive step for webmail. You must do it after hours.

1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292

2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.

3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties

4. In the Certificate purposes section, select  Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.

Step6: Install Certificate

To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference

1. Copy the SSL certificate file, for example newcert.p7b and save it to C: on your Exchange server.

2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example

Import-ExchangeCertificate -Path C:newcert.p7b | Enable-ExchangeCertificate –Services  “SMTP, IMAP, POP, IIS”

3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.

For Example Get-ExchangeCertificate -DomainName

4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”

Step7: Configure Outlook settings

Microsoft reference

To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.

Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*

To change Outlook 2007 connection settings to resolve a certificate error

1. In Outlook 2007, on the Tools menu, click Account Settings.

2. Select your e-mail address listed under Name, and then click Change.

3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.

4. Select the Connect using SSL only check box.

5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*

6. Click OK, and then click OK again.

7. Click Next. Click Finish. Click Close.

8. The new setting will take effect after you exit Outlook and open it again.

Step8: Export Certificate from Exchange in .pfx format

The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.

Open Exchange Management Shell, run

Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB

010e -BinaryEncoded:$true -Path c:certificatesexport.pfx -Password:(Get-Credential).password

Step9: Import certificate in TMG 2010

1.Click Start and select Run and tape mmc
2.Click on the  File menu and select   Add/Remove Snap in
3.Click  Add, select Certificates among the list of   Standalone Snap-in and click   Add
4.Choose   Computer Account and click   Next
5.Choose   Local Computer and click   Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.

Step10: Replace Certificate in Web Listener

1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.

2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.

3. In the results pane, double-click Remote Web Workplace Publishing Rule.

4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.

5. Select External Web Listener from the list, and then click Properties.

6. In External Web Listener Properties, click the Certificates tab.

7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.

8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.

9. To save changes and update the configuration, in the results pane, click Apply.

Step11: Test OWA from external and internal network

On the mobile phone, open browser, type and log in using credential.

Make sure no certificate warning shows on IE.

Use the RapidSSL Installation Checker to verify your certificate.

Relevant References

Request an Internet Server Certificate (IIS 7)

Using wildcard certificates

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s