Ed McKinzie's Technical Repository

Needless to say, Microsoft’s approach at administering certificates in Exchange 2007 (OWA, IMAP,POP and SMTP) is very taxing and cumbersome at best.  All certificates are requested and implemented with Exchange PowerShell cmdlets.  This is completely different than Exchange 2003 and the IIS model.  Here are the steps I performed to request a new certificate using Subject Alternate Names (SANs).   Note I am running this against a stand-alone Exchange 2007 server that has all roles.  If you split your roles, this needs to be performed on the Client Access Servers (CAS)

1.) We first need to request the certificate from the Exchange 2007 server using Exchange PowerShell.   It must be ran with elevated “administrator” rights.   Issue a command similar to: (Note I have a multi-domain Forest)

New-ExchangeCertificate -GenerateRequest -SubjectName "DC=edu, DC=yale, CN=yale-dc01.yale.edu" -DomainName yale-dc01, yale.edu, yale-dc01.yale.edu, webmail.yale.edu, pop.yale.edu, imap.yale.edu, webmail.berkeley.edu, pop.berkeley.edu, imap.berkeley.edu, autodiscover.yale.edu, autodiscover.berkeley.edu, owa -FriendlyName "webmail.yale.edu" -PrivateKeyExportable $True -Force -Path c:\certs\SANCERT.req -KeySize 1024

Notice we are passing a path and certificate request file name in the command.  (C:\Certs\SANCERT.req)  We must open that request file in Notepad and then submit that request against your internal Certificate Authority, or an external root CA, such as VeriSign.  To do so, go to your CA URL request page i.e., https://CASERVER.Domain.com/certsrv/  (Request a Certificate –> Advanced Certificate Request –> Submit a Certificate Request.  Paste the SANCERT.req contents in the Saved Request form.  Include the entire contents, including the Begin and End lines.  Select “WEB SERVER” as the certificate template.

After the request, download the certificate and place it in a folder named C:\Certs.  Name it Webmail_certnew.cer.  You must now go back to Exchange PowerShell (with elevated admin rights) and issue the following command to import the new certificate.

Import-ExchangeCertificate -Path c:\certs\Webmail_certnew.cer -friendlyname "yale-dc01.yale.edu" | Enable-ExchangeCertificate -services "pop,imap,iis"

This command imports the new certificate into Exchange.  But we are not done just yet, as we now need to Enable the new certificate.

From Exchange PowerShell, issue this command: Get-ExchangeCertificate. This will dump all of the Exchange certificates along with their thumbprint and services affected.

Services listed as IP.W. stands for IMAP, POP and Web (or Webmail\OWA)…..IP..S. is for SMTP.  Highlight and copy the thumbprint that is bound to IP.W.

Issue this command:

Enable-ExchangeCertificate -thumbprint 0F606C7EE44528857C22AFD2862952E37A997D8E -services "pop,imap,iis"

From here you should be able to hit your Exchange 2007 CAS (OWA) server as expected.  Such as https://CASSERVER.domain.com/owa.  Take a look at the new certificate and its chain…..note the Subject Alternate Names.

If you need to put a proxy out in front of your Exchange environment, such as ISA 2006 (With SP1) or TMG, you can export this certificate with the private key.  I will put together another ISA\Exchange Publishing document sometime soon.

Best of luck!