Exchange uses certificates to encrypt communication between Exchange servers, ActiveSync, OWA and Outlook Anywhere. By default, Exchange Server 2010 uses self-signed certificates for session encryption. However, Microsoft advises against self-signed certificates in production. Instead, it suggests admins acquire a permanent certificate and import it into Exchange 2010. This tip walks you through the process.
How to import a commercial certificate into Exchange 2010
Assuming that you’re using a valid certificate from a trusted certificate authority (CA), enter the MMC command at the Run prompt to begin importing a commercial certificate. This action logs you into an empty Microsoft Management Console. Select the Add/Remove Snap-In command from the File menu, choose the Certificates option from the list and then click Add.
NOTE: If you're using an enterprise or in-house CA, you may need to download a Certificate Authority certificate to manually establish trust.
Windows will ask if you want to manage certificates for your user account, a service account or a computer account. Choose the Computer Account option and click Finish. When prompted, instruct Windows to manage certificates for the local computer. Click Finish and then click OK.
In the next step, which imports the certificate, navigate to Certificates (Local Computer) -> Intermediate Certification Authorities -> Certificates. Right-click on the Certificates container and choose the All Tasks -> Import command (Figure 1).
When the Certificate Import wizard appears, click Next to bypass the welcome screen. Click the Browse button and navigate to your certificate. You may have to change the file extension filter to PKCS #7 Certificates (*.spc, *.p7b) for it to work, as shown in Figure 2.
Once you've located your certificate, click Open and then Next. Select the Place All Certificates in the Following Store option and then click on the Intermediate Certification Authorities container (Figure 3). To complete the import process, click Next and Finish then close the console.
Next you’ll need to configure Exchange 2010 to use the certificate. Open the Exchange Management Console (EMC) and navigate to the Server Configuration container. Even though you can see your new certificate, it isn’t valid for Exchange services (Figure 4).
To assign the certificate Exchange 2010 services, click Assign Services to Certificate in the Actions pane. When the wizard opens, select your Exchange server, then click Next. On the next screen, choose the services you want to assign, click Next and then click Finish.
How to import an in-house CA into Exchange 2010
The process for importing your own enterprise CA is a bit different. Open the EMC and navigate to the Server Configuration container. Click the New Exchange Certificate link.
In the wizard, name the certificate you're creating and click Next . The wizard will ask if you want to use wildcard certificates. Click Next to skip this screen and you’ll be asked how the certificate will be used. Use the arrows to expand all the services you want to use and enter the required information (Figure 5).
Click Next to view a list of added domains. If everything checks out, click Next. The console will then prompt you to provide basic information about your Exchange organization’s geographic location. After clicking Next, you'll see a summary screen detailing the certificate request. Take a moment to review the information and then click New, followed by Finish.
Your certificate has been added to the list, but you're not finished. Open the certificate request file in Notepad and then copy the text to the clipboard.
Open Internet Explorer and navigate to your certificate enrollment site. Log into the site, click Request a Certificate and then click Advanced Certificate Request. Select Submit a Certificate Request by using a Base-64 encoded CMC or PKCS#10 File and then paste contents of the certificate request file into the Saved Request field (Figure 6).
Make sure the Certificate Template option is set to Web Server and click Submit. Click Download Certificate and save it to Exchange server’s hard drive.
Now you can configure Exchange 2010 to use the enterprise certificate. In the EMC, select the new certificate and click the Complete Pending Request link. Exchange 2010 will ask you to provide the path to the certificate. Next, click Complete and then click Finish to import your certificate. Finally, you can use the same process to assign Exchange services to the enterprise certificate as you used for commercial certificates.
ABOUT THE AUTHOR:
Brien Posey is a seven-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.