Tip

How to add certificates to Exchange Server 2010

Exchange uses certificates to encrypt communication between Exchange servers, ActiveSync, OWA and Outlook Anywhere. By default, Exchange Server

    Requires Free Membership to View

2010 uses self-signed certificates for session encryption. However, Microsoft advises against self-signed certificates in production. Instead, it suggests admins acquire a permanent certificate and import it into Exchange 2010. This tip walks you through the process.

How to import a commercial certificate into Exchange 2010
Assuming that you’re using a valid certificate from a trusted certificate authority (CA), enter the MMC command at the Run prompt to begin importing a commercial certificate. This action logs you into an empty Microsoft Management Console. Select the Add/Remove Snap-In command from the File menu, choose the Certificates option from the list and then click Add.

NOTE: If you're using an enterprise or in-house CA, you may need to download a Certificate Authority certificate to manually establish trust.

Windows will ask if you want to manage certificates for your user account, a service account or a computer account. Choose the Computer Account option and click Finish. When prompted, instruct Windows to manage certificates for the local computer. Click Finish and then click OK.

In the next step, which imports the certificate, navigate to Certificates (Local Computer) -> Intermediate Certification Authorities -> Certificates. Right-click on the Certificates container and choose the All Tasks -> Import command (Figure 1).


Figure 1. Import a commercial certificate into Exchange 2010.

When the Certificate Import wizard appears, click Next to bypass the welcome screen. Click the Browse button and navigate to your certificate. You may have to change the file extension filter to PKCS #7 Certificates (*.spc, *.p7b) for it to work, as shown in Figure 2.


Figure 2. You may have to change the file extension filter so that it corresponds with the new certificate.

Once you've located your certificate, click Open and then Next. Select the Place All Certificates in the Following Store option and then click on the Intermediate Certification Authorities container (Figure 3). To complete the import process, click Next and Finish then close the console.


Figure 3. Make sure to place your commercial certificate in the Intermediate Certification Authorities container.

Next you’ll need to configure Exchange 2010 to use the certificate. Open the Exchange Management Console (EMC) and navigate to the Server Configuration container. Even though you can see your new certificate, it isn’t valid for Exchange services (Figure 4).


Figure 4. Your new certificate may not initially be valid for Exchange 2010 services.

To assign the certificate Exchange 2010 services, click Assign Services to Certificate in the Actions pane. When the wizard opens, select your Exchange server, then click Next. On the next screen, choose the services you want to assign, click Next and then click Finish.

How to import an in-house CA into Exchange 2010
The process for importing your own enterprise CA is a bit different. Open the EMC and navigate to the Server Configuration container. Click the New Exchange Certificate link.

In the wizard, name the certificate you're creating and click Next . The wizard will ask if you want to use wildcard certificates. Click Next to skip this screen and you’ll be asked how the certificate will be used. Use the arrows to expand all the services you want to use and enter the required information (Figure 5).


Figure 5. Select the Exchange 2010 services you plan to use with your new enterprise certificate.

Click Next to view a list of added domains. If everything checks out, click Next. The console will then prompt you to provide basic information about your Exchange organization’s geographic location. After clicking Next, you'll see a summary screen detailing the certificate request. Take a moment to review the information and then click New, followed by Finish.

Your certificate has been added to the list, but you're not finished. Open the certificate request file in Notepad and then copy the text to the clipboard.

Open Internet Explorer and navigate to your certificate enrollment site. Log into the site, click Request a Certificate and then click Advanced Certificate Request. Select Submit a Certificate Request by using a Base-64 encoded CMC or PKCS#10 File and then paste contents of the certificate request file into the Saved Request field (Figure 6).


Figure 6. Paste the request info into the Saved Request field.

Make sure the Certificate Template option is set to Web Server and click Submit. Click Download Certificate and save it to Exchange server’s hard drive.

Now you can configure Exchange 2010 to use the enterprise certificate. In the EMC, select the new certificate and click the Complete Pending Request link. Exchange 2010 will ask you to provide the path to the certificate. Next, click Complete and then click Finish to import your certificate. Finally, you can use the same process to assign Exchange services to the enterprise certificate as you used for commercial certificates.

ABOUT THE AUTHOR:
Brien Posey is a seven-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.

This was first published in June 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.