If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.
Microsoft accept certified SSL provider which are recorded in this url http://support.microsoft.com/kb/929395/en-us
Here is a guide lines how to accomplish this objective.
Step1: Check Current Exchange SSL Certificate
Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.
Step2: Record Proposed Exchange SSL Wildcard Certificate
- Common Name: *.yourdomain.com.au
- SAN: N/A
- Organisation: Your Company
- Department: ICT
- City: Perth
- State: WA
- Country: Australia
- Key Size: 2048
Step3: Generate a wildcard certificate request
You can use https://www.digicert.com/easy-csr/exchange2007.htm to generate a certificate command for exchange server.
New-ExchangeCertificate -GenerateRequest -Path c:star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*.yourdomain.com.au” -PrivateKeyExportable $True
Step4: Sign the certificate request and download SSL certificate in PKCS#7 format
For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14293&actp=search&viewlocale=en_US&searchid=1380764656808
2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.
3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.
4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.
5. Save the certificate locally and install per the server software.
Step5: Locate and Disable the Existing CA certificate
Now this step is a disruptive step for webmail. You must do it after hours.
1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292
2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.
3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties
4. In the Certificate purposes section, select Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.
Step6: Install Certificate
To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx
1. Copy the SSL certificate file, for example newcert.p7b and save it to C: on your Exchange server.
2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example
Import-ExchangeCertificate -Path C:newcert.p7b | Enable-ExchangeCertificate –Services “SMTP, IMAP, POP, IIS”
3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.
For Example Get-ExchangeCertificate -DomainName yourdomain.com.au
4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”
Step7: Configure Outlook settings
Microsoft reference http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx
To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.yourdomain.com.au
To change Outlook 2007 connection settings to resolve a certificate error
1. In Outlook 2007, on the Tools menu, click Account Settings.
2. Select your e-mail address listed under Name, and then click Change.
3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.
4. Select the Connect using SSL only check box.
5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*.yourdomain.com.au.
6. Click OK, and then click OK again.
7. Click Next. Click Finish. Click Close.
8. The new setting will take effect after you exit Outlook and open it again.
Step8: Export Certificate from Exchange in .pfx format
The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.
Open Exchange Management Shell, run
Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB
010e -BinaryEncoded:$true -Path c:certificatesexport.pfx -Password:(Get-Credential).password
Step9: Import certificate in TMG 2010
1.Click Start and select Run and tape mmc
2.Click on the File menu and select Add/Remove Snap in
3.Click Add, select Certificates among the list of Standalone Snap-in and click Add
4.Choose Computer Account and click Next
5.Choose Local Computer and click Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.
Step10: Replace Certificate in Web Listener
1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.
2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.
3. In the results pane, double-click Remote Web Workplace Publishing Rule.
4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.
5. Select External Web Listener from the list, and then click Properties.
6. In External Web Listener Properties, click the Certificates tab.
7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.
8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.
9. To save changes and update the configuration, in the results pane, click Apply.
Step11: Test OWA from external and internal network
On the mobile phone, open browser, type webmail.yourdomain.com.au and log in using credential.
Make sure no certificate warning shows on IE.
Use the RapidSSL Installation Checker https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO9556 to verify your certificate.