How to set up an SSL certificate to encrypt OWA and ActiveSync traffic

Learn step-by-step how to set up Windows 2003 as a certificate authority, create an SSL certificate and encrypt email traffic for OWA and Exchange ActiveSync.

This Content Component encountered an error

Outlook Web Access (OWA) and Exchange ActiveSync email traffic encryption is not enabled by default. It requires an SSL security certificate on your OWA server, 

which is not included natively in Microsoft Exchange. In this tip, I explain step-by-step how to set up Windows Server 2003 as an enterprise certificate authority, create an SSL certificate and configure it to encrypt email traffic for OWA, ActiveSync and Windows Mobile devices.

Creating an enterprise certificate authority on Windows Server 2003

SSL certificates from third-party certificate authoritjes like VeriSign and Thawte are generally considered better, because they are almost universally recognized. Even so, third-party SSL certificates can be expensive, so some administrators prefer to create their own free SSL certificates in-house.

To generate your own security certificate, you need an enterprise certificate authority. Windows Server 2003 can be configured to act as an enterprise certificate authority, but you need to make extra sure that the server you use for it remains secure. And don't ever configure your Exchange Server to be the certificate authority.

The SSL certificate configuration process is simple, but realize that creating an enterprise certificate authority is a big deal. If someone manages to compromise your certificate authority, they can impersonate your organization. Also, you should use a dedicated server and routinely perform full backups of your certificate authority.

To configure Windows Server 2003 to act as an enterprise certificate authority:

  1. Open the Windows server's Control Panel and select Add/Remove Programs.
  2. Click on the Add/Remove Windows Components button. After a brief delay, Windows will launch the Windows Components Wizard.
  3. Select the checkbox next to the Certificate Services option.
  4. You will see a warning message telling you that the server cannot be renamed or joined to a different domain. Click Yes to acknowledge the message and then click Next.
  5. You will now see a screen asking you what type of certificate authority you want to create. Choose the Enterprise Root CA option and click Next.
  6. Enter a name for the CA. I usually just use the server's name as the CA name. Certificates generated by the server have a five-year validity period by default. If you want, you have the option of changing the validity period on this screen as well.
  7. Click Next, and you will be prompted to enter a path for the certificate database and for the database logs. Just go with the defaults and click Next.
  8. At this point, you may see a message indicating that Windows Server temporarily needs to stop IIS. Click Yes to continue, and Windows will install the certificate services. You may be prompted to insert your Windows installation CD during the installation process.
  9. When the installation process completes, click Finish.

Requesting an SSL certificate

Now you need to associate a certificate with your client access server:

  1. Begin the process by opening the Internet Information Services (IIS) Manager console on your client access server. You can find a shortcut to the IIS manager on the server's Administrative Tools menu.
  2. Navigate through the console tree to your server ->Web Sites -> Default Web Site.
  3. Right click on the Default Web Site container and select Properties .to view the Default Web Site's properties sheet.
  4. Select the Directory Security tab, and click the Server Certificates button to launch the Web Server Certificate Wizard.
  5. Click Next to bypass the wizard's Welcome screen.
  6. Choose the Create a New Certificate option and click Next.
  7. You will now be taken to the wizard's Delayed or Immediate Request screen. Choose the option to send the request immediately and click Next.
  8. Enter a name for the certificate. The default name is Default Web Site, but I recommend changing this name to reflect your company's name. Click Next.
  9. Enter your company's name and organizational unit and click Next again.
  10. Verify the server's common name. In most cases, you will have to enter the server's fully qualified domain name (FQDN). Click Next.
  11. Supply the server's city, state, and country and click Next.
  12. Verify that the SSL port is set to 443.
  13. Click Next and select your certificate authority from the dropdown list.
  14. Click Next two more times, and you should see a message indicating that the certificate has been installed.
  15. Click Finish to close the wizard.

Setting up SSL encryption on OWA and Exchange ActiveSync

Even if your client access server has an SSL certificate installed, SSL encryption is not automatically a requirement for Exchange ActiveSync traffic. You can however, force OWA and ActiveSync to require SSL encryption:

  1. Open the Internet Information Services (IIS) Manager console on your client access server.
  2. Navigate through the console tree to your server -> Web Sites -> Default Web Site.
  3. Right click on the Default Web site and select Properties to view the OWA properties sheet.
  4. Go to the Directory Security tab.
  5. Find the Secure Communications section and click the Edit button.
  6. Select the Require Secure Channel (SSL) checkbox, and then select the Require 128 Bit Encryption checkbox.
  7. Click OK twice.

OWA and Exchange ActiveSync are now configured to require SSL encryption.

Configuring Windows Mobile devices to trust a certificate

Whether you decide to use a third-party or in-house SSL certificate, your Windows Mobile devices must be configured to trust the SSL certificate. Otherwise, Exchange ActiveSync will generate the following error message on the mobile device:

The security certificate on the server is invalid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server.

Configuring a desktop or laptop to trust the SSL certificate is simple. You just add the enterprise root certificate authority that generated the certificate to the machine's Trusted Root Certificate Authority group. In some cases, you may not even have to do that. Windows automatically trusts many third-party certificate authorities.

Windows Mobile handles things differently. If you want your Windows Mobile devices to trust the security certificate, you have to export the enterprise root certificate to a .CER file. You must then copy this file to the mobile device and import it.

To export the SSL certificate:

  1. Go to your client access server and open the Internet Information Services (IIS) Manager.
  2. Navigate through the console tree to your server -> Web Sites -> Default Web Site.
  3. Right click on the Default Web Site container and select Properties to display the Default Web Site properties sheet.
  4. Navigate to the Directory Security tab, click the View Certificate button, and then choose the Certificate Path tab.
  5. Select your root certificate from the list and click the View Certificate button.
  6. Windows will now display the security certificate within a properties sheet. Select the Details tab and then click the Copy to File button to launch the Certificate Export wizard.
  7. Click Next to bypass the wizard's Welcome screen.
  8. On this screen, there are two different file format export options that will produce a .CER file. Choose the DER Encoded Library x.509 (.cer) option and click Next.
  9. Enter a filename for the SSL certificate that you are exporting. You can call the certificate file anything you want, but I recommend using a name that is descriptive of the certificate's purpose or origin.
  10. Click Finish to complete the wizard.

Now that you have exported the SSL certificate, you must copy it to the Windows Mobile device. If the mobile device is cradled, you can just use Windows Explorer to drag and drop the .CER file that you created.

If cradling g the device isn't an option, place the file onto a memory chip, and then put the chip into the device. Depending on how the devices are configured, you might even be able to email the file.

Once you have copied the file to the Windows Mobile device:

  1. Click on the .CER file.
  2. Windows Mobile will present you with a warning message indicating that you are about to install a certificate. Click Yes to continue the operation and install the certificate.

The Windows Mobile device should now trust your SSL security certificate.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.

MEMBER FEEDBACK TO THIS EMAIL ENCRYPTION TIP

I went through all the steps that you described for installing an SSL security certificate on my Windows Mobile device, but then I got the same error message that you mention in your article. I am using a certificate from Go Daddy, and it works fine via the Web. Are there any other causes for this issue?
—Tony C.

******************************************

I don't know of any other causes, but that's not to say that there aren't any. You may want to do a Web search on the error message, or contact Go Daddy and see if they have any advice. I wish I could be of more help, but I just don't know anything else to tell you.
—Brien Posey, tip author

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

This was first published in September 2007

Dig deeper on Email Encryption

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close