Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
You can use the Shell to configure your Secure Sockets Layer (SSL) certificates to use multiple host names.
When you deploy your Microsoft Exchange Server 2010 Client Access servers, you must make sure that all your clients, such as Microsoft Office Outlook Web App and Office Outlook 2007, will be able to connect to the services by using an encrypted session without receiving an error message that states that the certificate isn't trusted.
By using the Shell, you can create a certificate request to include all the DNS host names of the Client Access servers. Then you can enable users to connect to the certificate for services, such as Outlook Anywhere, Autodiscover, POP3 and IMAP4, or Unified Messaging, that are listed in the alternate names attribute. For example, your users may be able to connect to your Exchange services by specifying the name as shown in the following examples:
- https://CAS01/owa
- https://CAS01.FQDN.name/owa
- https://CASIntranetName/owa
- https://autodiscover.emaildomain.com
Instead of having to require multiple certificates and maintain the configuration of multiple IP addresses and Internet Information Services (IIS) Web sites for each IP port and certificate combination, you can create a single certificate that enables clients to successfully connect to each host name by using SSL or Transport Layer Security (TLS).
You can create a single certificate by adding all the possible DNS name values to the certificate Subject Alternative Name property on the certificate request. A Windows–based Certificate Services certification authority should create a certificate for such a request.
Note: |
---|
Third-party or Internet-based certification authorities will issue certificates only for DNS names that you are authorized to use. Therefore, intranet DNS names probably won't be allowed. |
To configure your SSL certificates to use multiple Client Access server host names, do the following:
- Use the New-ExchangeCertificate cmdlet to create a
certificate request file.
- Send this file to a Windows Certificate Services certification
authority and use the Web server template on the Certification
Authority page. This will result in a .cer file that can be
imported to the Client Access server.
- Use the Get-ExchangeCertificate cmdlet to determine the
thumbprint for your certificate.
- After you've imported the certificate, you can assign it to
IIS, IMAP4, and POP3 by using the Enable-ExchangeCertificate
cmdlet.
Looking for other management tasks related to SSL? Check out Managing SSL for a Client Access Server.
Prerequisites
- You have logged on to your computer using an account that's not
in the Administrators group, and then used the runas command
to run IIS Manager as an administrator. This is a security best
practice. To do this, at a command prompt, type runas
/user:Administrative_AccountName "mmc
systemroot\system32\inetsrv\iis.msc".
- You have read TLS Functionality and
Related Terminology in Exchange 2010. This contains information
about the many variables you must consider when you configure
certificates for SSL or TLS services and how these variables can
affect your overall configuration.
Use the Shell to create a certificate request file
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.
This example creates a text file that contains a certificate request in PKCS#10 format.
Copy Code | |
---|---|
New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso Corporation,cn=exchange.contoso.com" -domainname CAS01,CAS01.exchange.corp.constoso.com,exchange.contoso.com, autodiscover.contoso.com -path c:\certrequest_cas01.txt |
Use the Shell to import a certificate
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.
This example imports a previously obtained certificate.
Copy Code | |
---|---|
Import-ExchangeCertificate -path <certificate_file_name>.cer -friendlyname "Contoso CAS01" |
Use the Shell to determine the thumbprint of your certificate
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.
This example determines the thumbprint of a certificate
that matches the host name of CAS01
.
Copy Code | |
---|---|
Get-ExchangeCertificate -DomainName "CAS01" |
Note: |
---|
This example will return multiple certificates if there are several certificates that match the host name you specified. Therefore, make sure that you select the thumbprint of the correct certificate for your request. |
Use the Shell to assign the certificate to IIS, POP3, and IMAP4
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.
This example assigns the certificate to IIS, POP3, and IMAP4.
Copy Code | |
---|---|
Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services "IIS,POP,IMAP" |
This example assigns the certificate to a server, which in turn assigns the certificate to all services that are running on the Exchange server.
Copy Code | |
---|---|
Import-ExchangeCertificate -path <certificate file name> -friendlyname "Contoso CAS01" | enable-exchangecertificate -services "IIS,POP,IMAP" |
For more information about syntax and parameters for the Import-ExchangeCertificate, Enable-ExchangeCertificate, Get-ExchangeCertificate, and New-ExchangeCertificate cmdlets, see Global Cmdlets.