SSL Certificate Question
We purchased a standard SSL certificate (not UCC or Wildcard) for our Exchange server to access OWA remotely for users. An issue that occurs if the name on the certificate is the public name and not the private name. When users locally open outlook they get security warnings that the name on the certificate is invalid. When users connect via OWA it's fine because they use the public name.
My question is can I create a self-signedcertificate for all services except OWA and have multiple SSL certificates setup on the server? Is this the best route to take? How can I accomplish this?
Also, when I run get-certificate I see three listings. How do I know which of these is being used and how/should I remove the unused certificates listed?
June 5th, 2008 4:51pm
Hi,
You can use your Certification Authority to issue a certificate for your local use.You can deploy each certificate for each service.
Besides, in Exchange2007, the self-signed certificate is created by the computer that is running MicrosoftExchange by using the underlying Windows Certificate API (CAPI). Because the certificates are self-signed, the resulting certificates are generally less trustworthy than certificates that are generated by a CA. Therefore, we recommend that you use self-signed certificates only for the following internal scenarios:
SMTP sessions between Hub Transport servers: A certificate is used only for encryption of the SMTP session. Authentication is provided by the Kerberos protocol.
SMTP sessions between Hub Transport servers and an Edge Transport server: A certificate is used for encryption of the STMP session and for direct trust authentication.
EdgeSync synchronization between Edge Transport servers and Active Directory: A certificate is used to encrypt the LDAP communication session between the ADAM instance on the Edge Transport servers and the internal ActiveDirectory servers after the MicrosoftExchange EdgeSync service has replicated data from ActiveDirectory to the ADAM instance on the Edge Transport server.
Unified Messaging communication: A certificate is used for encrypting Session Initiation Protocol (SIP) and Realtime Transport Protocol (RTP) traffic between UM servers and UM IP gateways, IP Private Branch eXchanges (PBXs), and computers that are running Office Communications Server 2007. The certificate is also used for encrypting SMTP traffic when voice mail or fax messages are submitted from UM servers to Hub Transport servers.
A Client Access server that is accessed only by internal clients.
You can use command "Enable-ExchangeCertificate -Thumbprint <String> -Services <None | IMAP | POP | UM | IIS | SMTP> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-Force <SwitchParameter>] [-WhatIf [<SwitchParameter>]]" to enalbe certificate on each service.
You can use "Get-Exchangecertificate |fl" to see the detail of each certificate,especailly the services item.
If you do want to remove the unused certificate,then you can "Remove-ExchangeCertificate" to remove an existing certificate from the local certificate store.
Also you can run"MMC" from a command prompt and navigate to File-Add/Remove Sanp in-Add-certificates-Computer Account-Next-Fininsh" to open Certificate Console and then find the certificate that you do not want to use and delete.
More information share with you:
Certificate Use in Exchange Server 2007
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
Get-ExchangeCertificate
http://technet.microsoft.com/en-us/library/bb124950(EXCHG.80).aspx
Support WebCast: How to Use Certificate Authority for Authentication
http://support.microsoft.com/kb/324697
Hope it helps.
Xiu
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2008 6:00am