Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.
Category published:  Exchange 2010 Exchange 2013   Click on the Category button to get more articles regarding that product.

Generate-SAN-UC-Certificate-SSL-on-Exchange-2010

Posted by admin on 03.01.2015

The generation of SAN SSL Certificates is slighlty diffrent in command then under Exchange 2007.

The customer has:

a) An internet site or External DNS Name of: customer.ch like for www.customer.ch or ftp.customer.ch

b) Active Directory Site called customer.local

You have to know if he wants to do:

1) Activesync for Handy, IPAD; Iphone, Mobiles from outside (Iternet) [webmail.customer.ch]

2) Webmail/OWA from outside (Internet) [webmail.customer.ch]

3) Webmail/OWA from inside (Intranet) [exchange.customer.local (Active Directory FQDN)]

4) Autodiscover from outside [autodiscover.customer.ch] OR / AND 5) inside  [autodiscover.customer.local] (Autodiscover means you ENTER the E-mail Address and Outlook find the Exchange Server and settings automatic via DNS entrys)

Then you need to buy a SAN Subject Alternative Name Certificate also called UC Certificate (Around EUR 200.- to 250.-) for 3 Names in germany. Additional nbames around EUR 20.- to 30.- per year.

 
 

Here is how to generate a SAN Request on Exchange 2010 for 3 Domains (SAN = 3 Domains)

webmail.customer.com (Will use it for Activesync and Webmail from Internet)

autodiscover.customer.local (Outlook 2007/2010)

exchange.customer.local  (Outlook 2007/2010 and Webmail Intranet)

In the example i KNOW that he will not use “Outlook Anywhere” (Outlook.exe on the road) if that would be the case your need a 3th Name like autodiscover.customer.ch

Make a variable $data and puts the Text of the SSL Cert into that var with:

$data = New-ExchangeCertificate -GenerateRequest -SubjectName “c=CH, S=BL, L=Basel, o=CUSTOMER AG, cn=webmail.customer.ch” -DomainName autodiscover.customer.local, exchange.customer.local  -PrivateKeyExportable:$True

The first one is listed UNDER cn=, The other two behind DOMAINAME.  Type this command to see if all names are coreent afterwards

get-Exchangecertificate | fl

Writes the content of the variable data to a file called ” c:\customer_ch.req” (Name it whatever you want)

set-content -Path c:\customer_ch.req -value $data

At this point, you have the Certificate Request, which you can send to Comodo, Thawtee, Your ISP or post via Web form

Next, you will have to proof that the company is the company they think it is. Send driver licence, Business report, telephone bill etc.

You will get some files back after a few hours or days. One of it is the certificate. (Example: 10996389.crt)

The GUID of the Certificate you can get with:

get-Exchangecertificate | fl

Like Example: C582FB58CFD7932681DFBB0E68B6942435CBEECD

Here is how to import the Certificate you GOT back from the ISP into the Exchange 2010:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\10996389.crt -Encoding byte -ReadCount 0))

Here is how to activate the Certificate for Service IIS/80/web, POP3 and IMAP:

enable-exchangecertificate -identity C582FB58CFD7932681DFBB0E68B6942435CBEECD -Services “IIS, POP, IMAP”


 Category published:  Exchange 2010 Exchange 2013   Click on the Category button to get more articles regarding that product.