česky | english
MS Exchange server 2010 Configuration
The List of Certificates
The Exchange Management Console 2010 contains the list of the certificates. It can be found in the Server Configuration - in the left pane (tree): Server Configuration.
In the middle bottom pane, there is the list of the certificates installed. This list has the following columns:
- A certificate icon representing its basic status (valid or expired)
- Name of the certificate, or its friendly name, only used in the Exchange server, not a part of the certificate itself.
- Whether or not is the certificate Self-signed. There is one such certificate issued by Exchange server installer, for the server to work temporarily.
- Status - a brief description of the certificate (valid, expired,...)
- Services - a list of the services assigned to the certificate:
- * SMTP - email transfer server-to-server
- * POP - email transfer to email clients (however, Outlook uses another, native connection)
- * IMAP - client access service, displaying folders
- * IIS - web server; for the installation of the certificate there is no need to use the IIS manager
- Subject of the certificate (in the LDAP format: CN, OU, O, L, S, C)
- Issuer of the certificate (CA name, domain, LDAP format)
- Certificate expiry date
If you click the certificate details line, the list of actions appears in the right bottom pane. You may apply those actions on thecertificate: export, assign services, renew, delete, open. For the certificate to be valid, the operating system of the server has to have root certificate(s) installed of the CA concerned; the program mmc / Certificates.msc is their manager.
Creating a CSR
If certificates are displayed in the Exchange Server Manager, then the "New Exchange Certificate..." and the "Import Exchange Certificate..." actions are visible on the right pane. "New Exchange Certificate..." runs a wizard allowing name the certificate, then enter information about the Exchange server and finally generate CSR. The wizard is designed very thoroughly - it allows the following (and more):
- to create a CSR for a domain group with the same basic domain (an example: certificate for 'contoso.com' also valid for 'headq.contoso.com' and other '*.contoso.com'),
to add DNS FQDN names for native Outlook access, Autodiscover, mobile devices (ActiveSync), IMAP4, POP3, Outlook Anywhere,...
- to create this way alternative names (SAN) of e-mail domains accepted by this Exchange server in the CSR; you can find the accepted domain list in the 'Exchange Management Console' -- 'Organization Configuration' - 'Hub Transport', 'Accepted Domains' tab,
- to add more SAN addresses through the wizard,
- to enter mandatory information about your server, as usually.
Finally, let the wizard save the CSR into a file and submit its contents to CAcert - a server certificate will be issued. The private key remains unchanged in the Exchange server, without a certificate (there is CSR only there), so if you next open this Exchange Server Manager window, you can see in the right pane the action "Complete..." for completing and storing the certificate.
Completing the Certificate
Now you should have your server certificate signed, therefore select the "Complete..." action. The wizard appears, which basically needs the server certificate only, produced from the CSR you have created in this Exchange server. This is important, as the server still contains the private key corresponding with the CSR and therefore with the public key contained in the certificate issued by CA. If all is OK, and if you have also installed root certificates of the CA that has signed the server certificate, this certificate will be installed and will be shown under "friendly name" in the certificate list. However, no service will be assigned to it. You have to do one more, last step now.
Assigning Services to the Certificate
Select the certificate desired by clicking on its line in the list. In the right pane select "Assign Services to certificate...". A wizard will run, where you first select the server(s), then service(s). The most important page of the wizard looks like this:
Select the services used (IIS | IMAP | POP | SMTP | UM), and finish the wizard. Services assigned will then be displayed in the Services column of the desired certificate line. By this point, the certificate desired is on its duty.