Create Exchange Certificate
hi! I still have problem with this issue (the certificate Authentication), ok in my organization i have use the Certifcate Authentication from Domain Controller Start --> Control Panel --> Add/Remove program --> Add/Remove Windows Components --> Certificate Services step1: I open the IIS under Mydomain --> Web site--> right click on Default web site --> Propoties --> Directory Security -->click on Server Certificate --> Assing new certificate. and than i got the new file name Cert.txt and it is store information of my new certificate than i login to my Primary domain by http://mydomain/certsrv --> Request Certificate --> Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. --> paste the information from my Cert.txt on Saved request --> submit. But it is not work for this case, I hope that you will give me some way to fine the solution for this problem and dose it work with Windows CA or not?
June 30th, 2011 10:11pm

What version of Exchange?Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2011 10:34pm

The way you have mentioned is not correct way for generate certificate for Exchnage, Its for Web service. you must use SAN (subject alternative Name) when generate it. As ED said, please let us know which exchange version you are talking here. If you are talking about exchange 2007 then follow below article to generate new certificate for exchange. renew and new creation of certficate for Exchange is same proceedure. http://messagingschool.wordpress.com/2011/03/31/renew-certificates-in-exchange-2007-hub-cas/Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com
June 30th, 2011 11:21pm

hi thanks for your good answer and give me a link. I am current using Exchange 2007 and your step in your link good for me to create new certificate for exchange but i still don't understand : about this point after I create new certrequest.txt 3. Generate certificate in PKI CA console. Now, you need to login your internal PKI CA console and generate certificate using request file “certrequest.txt”. Generate certificate and save it. Note: There should not be left spaces when paste content into console. can you give me detail about this steps?
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 3:31am

Do you have your own internal certificate authority? If so, then you follow the steps you described in your original post: "i login to my Primary domain byhttp://mydomain/certsrv --> Request Certificate --> Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. --> paste the information from my Cert.txt on Saved request --> submit"Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
July 4th, 2011 8:37pm

hi thanks for this case, I have still have one problem with Enable the Certificate for IIS, SMTP, POP3, and IMAP. and I had been import Certifacte successfully but i still not Enable. I use the following command Enable-ExchangeCertificate -Services IIS,SMTP,IMAP,POP -Thumbprint This is correct command or not please help me for this case, because it is not work with my EMS and the message Error is Enable-ExchangeCertificate : Missing an argument for parameter 'Thumbprint'. Sp ecify a parameter of type 'System.String' and try again. thanks for your support.
Free Windows Admin Tool Kit Click here and download it now
July 4th, 2011 9:16pm

Run: Get-ExchangeCertificate From the list, copy the thumpbrint from the appropriate certificate and put it after the -Thumbprint property: Enable-ExchangeCertificate -Services IIS,SMTP,IMAP,POP -Thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
July 5th, 2011 11:53pm

Hi! Thanks for your answer to me now i can install the certificate for exchange 2007 server for IIS, STMP,IMAP, and POP but i still have one problem relate to OWA. my client they are using the Internet for access the mailbox by owa, but they still get the untrused Certificate. So how can i deploy the Certificate to Encrypted for users access by OWA? and how we can deploy auto CA Encrypted when they long in to my mail server?
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2011 12:31am

When you run Get-ExchangeCertificate, what do you see? Do you have any web publishing device like an ISA or TMG server between the Internet and your Exchange server?Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
July 6th, 2011 12:38am

hi! yes i have the Filewall between Internet to my Exchange server, So what should i do with my Filewall?
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2011 2:23am

If the firewall just passes through the traffic, you don't need to do anything. If your firewall acts as a reverse proxy, then it needs to have your public certificate installed.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
July 6th, 2011 11:04am

hi! so how i installed the public certificate ? if my firewall is the Hardware like cisco or fortigate? please give some idea about that.. another way i try to export the certificate from my CA as the CA.p7b and then i import to internet explore under the Trusted Root Certification Authorities of the client's computer. And my client can connect by OWA over Internet has the connection ecrypted to the Server. So I don't want to import CA to everyone by over the internet that why i want to find some solution for this... Thanks in advance
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2011 9:16pm

You would have to consult a Cisco or Fortigate forum, if you really need to do that. You only need that if you are doing reverse proxy, a.k.a. web publishing, on a device like that in your DMZ. You might want to obtain a certificate from a public authority like Go Daddy (whom I've found to be the cheapest and their certs work fine) and use that instead of your internal certificate. You can have only one certificate on most Exchange services.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
July 6th, 2011 10:49pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics