Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-05-19
Microsoft Exchange Server 2007 uses certificates to help secure many paths of e-mail communication. This topic is designed as an end-to-end introduction to certificate use in Exchange 2007. This topic explains the following:
- How certificates are used in Exchange 2007.
- How to determine whether you should purchase a certificate
issued from a third-party public certification authority (CA) and
when the default, self-signed certificate is sufficient.
- How certificate attributes are used by Exchange 2007
components and how the certificate properties relate to the X.509
certificate extension fields.
- Certificate trust and validation.
- How to create, import, and enable Exchange 2007
certificates.
- How Exchange components select certificates from the Personal
computer store.
Each section in this topic contains references and links to certificate-related documentation for Exchange 2007.
Acknowledgement Most of this content was adapted from Microsoft-internal notes and documentation collected and provided by Stuart Presley, Support Engineer.
Table of Contents
- Exchange 2007 Components That Use
Certificates to Encrypt or Authenticate Sessions
- How to Determine When to Use
Certificates Issued by Public CAs and When to Use Self-Signed
Certificates
- Understanding
Certificate Attributes and How Exchange 2007 Uses Them
- Certificate Trust and
Validation
- Creating,
Importing, and Enabling Certificates
- Certificate Selection
- For More Information
Exchange 2007 Components That Use Certificates to Encrypt or Authenticate Sessions
Exchange 2007 uses X.509 certificates to negotiate secure Transport Layer Security (TLS) and Secure Sockets Layer (SSL) transport channels of communication for protocols, such as HTTPS, SMTP, and POP and IMAP.
TLS is the Internet Engineering Task Force (IETF) standard protocol that helps provide communications privacy and security between two applications that communicate over a network. TLS encrypts communications and enables clients to authenticate servers and, optionally, servers to authenticate clients. TLS is a more secure version of the SSL protocol on which TLS is based. SSL was developed earlier by Netscape. Both protocols are functionally equivalent. And most implementations support both protocols for backward capability with older SSL-only clients.
TLS-secured communication can be used for confidentiality (encryption) only or for both confidentiality and authentication. X.509 certificates can be self-signed, also known as self-issued, or issued by an X.509 CA. An X.509 CA is either a third-party public certification authority that issues certificates or a public key infrastructure (PKI) that is deployed within your organization. Unless otherwise noted specifically, this topic refers to both solutions as certification authorities (CA). Third-party public CAs are known as public CAs.
The following Exchange 2007 components use certificates to encrypt or authenticate sessions:
- SMTP Certificates are used for
encryption and authentication for Domain Security between partner
organizations. Certificates are used for direct trust connections
between Hub Transport servers and Edge Transport servers.
Certificates are used between Hub Transport servers to encrypt the
SMTP session. In Exchange 2007, direct trust is the
authentication functionality for which the presence of the
certificate in the Active Directory directory service or
Active Directory Application Mode (ADAM) directory service
validates the certificate. Active Directory is considered a
trusted storage mechanism. Certificates are also used for
opportunistic TLS sessions between organizations. For more
information, see TLS Functionality and
Related Terminology in Exchange 2007.
- EdgeSync synchronization A self-signed
certificate created by Exchange 2007 is used to encrypt the
LDAP communication session between the ADAM instance on the Edge
Transport servers and the internal Active Directory servers
after the Microsoft Exchange EdgeSync service has replicated
data from Active Directory to the ADAM instance on the Edge
Transport server. A self-signed certificate is a certificate that
is signed by its own creator. The Microsoft Exchange EdgeSync
service is the data synchronization service that periodically
replicates configuration data from Active Directory to a
subscribed Edge Transport server. For more information, see
Understanding
the EdgeSync Synchronization Process.
- POP3 and IMAP4 Certificates are used to
authenticate and encrypt the session between Post Office Protocol
version 3 (POP3) and Internet Message Access Protocol version 4rev1
(IMAP4) clients and Exchange servers. For more information, see
Managing POP3
and IMAP4 Security.
- Unified Messaging Certificates are used
to encrypt the SMTP session to Hub Transport servers and to the
Unified Messaging (UM) IP gateway and Microsoft Office
Communications Server 2007. For more information, see Understanding Unified
Messaging VoIP Security.
- Autodiscover Certificates are used to
encrypt the HTTP path between the client and the Client Access
server. For more information, see White Paper: Exchange 2007 Autodiscover Service.
- Client Access applications Certificates
are used to encrypt the path between the Client Access server and
various HTTP clients, such as, Outlook Anywhere, Microsoft Outlook
Web Access, and devices that support Microsoft Exchange ActiveSync.
For more information, see Managing Client Access
Security.
For more specific information about how each data path in Exchange 2007 is encrypted and authenticated, see Data Path Security Reference.
How to Determine When to Use Certificates Issued by Public CAs and When to Use Self-Signed Certificates
This purpose of this section is to provide a quick explanation of how Exchange 2007 uses certificates. After you have read this section, you should understand, based on the Exchange components that you have enabled and the clients you want to support, what kind of certificates you must purchase from a public CA. This section also provides the general context for the more technical content that follows.
It's important to understand that, because this section is intended to let you quickly determine your overall certificate needs with regard to public CAs, the section is necessarily brief. For brevity, many generalizations about certificates and related technologies are made to illustrate certificate use in Exchange 2007. If you do not understand concepts in this section, make sure that you read the rest of this topic and the referenced documentation.
Generally, any Exchange 2007 component that uses Kerberos, Direct Trust, or NTLM authentication can use a self-signed certificate for encryption. In this topic, such components are referred to as internal Exchange 2007 components. Internal refers to the fact that the data paths are between Exchange 2007 servers and within the corporate network that is defined by Active Directory.
We recommend that you deploy a certificate issued by a public CA whenever your users are access Exchange components that require authentication and encryption from outside your corporate firewall. For example, all the various clients that the Client Access server role supports, such as Exchange ActiveSync, POP3, IMAP4, and Outlook Anywhere, should be secured with a certificate that is issued by a public CA. In this topic, such components are referred to as external Exchange 2007 components. External refers to the fact that the data paths between the clients and the Exchange 2007 servers traverse the corporate firewall and extend into the Internet.
Internal Components Use Self-Signed Certificates
As mentioned earlier, many components in Exchange 2007 use certificates. Generally, all internal Exchange data paths that are secured by certificates do not require a certificate issued by a public CA.
All internal SMTP and UM traffic is secured by self-signed certificates that are installed when you run Exchange 2007 Server Setup. Although you should renew these certificates yearly by using the New-ExchangeCertificate cmdlet, you do not have to have a certificate issued by a public CA to run the default internal Exchange messaging components.
Note: |
---|
Self-signed certificates that are created by Exchange expire in one year. The internal components that rely on the default self-signed certificates continue to operate even if the self-signed certificate has expired. However, when the self-signed certificate has expired, events are logged in Event Viewer. It is a best practice to renew the self-signed certificates before they expire. |
Exchange 2007 includes a set of cmdlets to create, request, and manage TLS certificates. For more information about these cmdlets, see Certificate Cmdlets later in this topic. By default, these certificates are self-signed. As explained earlier in this topic, a self-signed certificate is a certificate that is signed by its own creator. In Exchange 2007, the self-signed certificate is created by the computer that is running Microsoft Exchange by using the underlying Windows Certificate API (CAPI). Because the certificates are self-signed, the resulting certificates are generally less trustworthy than certificates that are generated by a CA. Therefore, we recommend that you use self-signed certificates only for the following internal scenarios:
- SMTP sessions between Hub Transport servers: A certificate is
used only for encryption of the SMTP session. Authentication is
provided by the Kerberos protocol.
- SMTP sessions between Hub Transport servers and an Edge
Transport server: A certificate is used for encryption of the STMP
session and for direct trust authentication.
- EdgeSync synchronization between Edge Transport servers and
Active Directory: A certificate is used to encrypt the LDAP
communication session between the ADAM instance on the Edge
Transport servers and the internal Active Directory servers
after the Microsoft Exchange EdgeSync service has replicated
data from Active Directory to the ADAM instance on the Edge
Transport server.
- Unified Messaging communication: A certificate is used for
encrypting Session Initiation Protocol (SIP) and Realtime Transport
Protocol (RTP) traffic between UM servers and UM IP gateways, IP
Private Branch eXchanges (PBXs), and computers that are running
Office Communications Server 2007. The certificate is also used for
encrypting SMTP traffic when voice mail or fax messages are
submitted from UM servers to Hub Transport servers.
- A Client Access server that is accessed only by internal
clients.
External Client Access to Exchange Requires Certificates Issued by a Public CA
Internal Exchange components can rely on self-signed certificates because the certificates are not used for authentication. Authentication for most Exchange components is provided by Kerberos or NTLM. In communication between an Edge Transport server and a Hub Transport server, direct trust authentication is used. This is provided by a certificate and the fact that the Edge Transport server's public key is stored in Active Directory, which is a trusted store. Otherwise, self-signed certificates are used to provide an ephemeral key to encrypt data paths between Exchange components.
However, for external client access from the Internet into the network where Exchange is hosted, traditional certificate trust validation is required. It is a best practice to use a certificate issued by a public CA for trust validation. In fact, when certificate authentication is required, using a self-signed certificate is not a best practice and is strongly discouraged. We recommend that you use a certificate from a public CA for the following:
- POP3 and IMAP4 client access to Exchange
- Outlook Web Access
- Outlook Anywhere
- Exchange ActiveSync
- Autodiscover
- Domain Security
The best practice for all these is to use a public CA that is trusted by all clients by default.
Use the New-ExchangeCertificate cmdlet to generate a certificate request according to the specifications of the third-party public CA that will issue your certificate
For more information, see the following topics:
- New-ExchangeCertificate
- Creating a
Certificate or Certificate Request for TLS
- Exchange 2007 lessons learned - generating a
certificate with a 3rd party CA
Note: The content of Wikis and blogs and their URLs are subject to change without notice.
The rest of this section provides information about how to determine the type of public certificate that you must purchase and whether you must purchase multiple certificates to help secure the clients that your organization uses to access Exchange 2007.
Determining the Type and Number of Public CA-Issued Certificates for Your Deployment
Selecting the appropriate public CA-issued certificate for your organization depends on the following factors:
- Client support of wildcard names in
certificates Ask yourself: What clients will I
support? As mentioned earlier, "clients" in this context refer to
clients that access Exchange from the Internet.
- Your organization's namespace How is
your Internet-facing Internet Information Services (IIS) namespace
configured?
- Source of your certificate Where will
you obtain your certificate? Does the public CA you select support
using wildcard characters in the Subject or Subject Alternative
Name (SAN) fields? If not, does it support using SANs?
The following sections examine these factors more closely.
Client Support of Wildcard Names in Certificates
Wildcard names may be used in the Subject or SAN extensions of X.509 certificates. For more information about wildcard names, see "CertificateDomains" in Understanding Certificate Attributes and How Exchange 2007 Uses Them later in this topic.
After you have determined which clients your organization will support, it is helpful to determine whether the clients support certificates where wildcard names are used in the server certificate that the client is connecting to.
If your client supports using wildcard names in the
certificate, the overall certificate planning for your organization
is greatly simplified. If all your clients support wildcard names
in certificates and your organization uses a single domain name,
you do not have to consider namespace planning for your certificate
deployment strategy. Instead, you can create a single certificate
that supports your namespace with a wildcard character. For
example, if clients that are running Outlook Web Access use
mail.contoso.com/owa
to access their mail, and POP3
clients use pop.contoso.com
to access their mail, a
single certificate with a wildcard Subject of
*.contoso.com
will support both clients.
The following Microsoft clients support wildcard names in certificates:
- Outlook
Note: When wildcard certificates are deployed across Exchange servers that are running the Client Access role, Autodiscover settings require some configuring to allow Outlook 2007 clients to connect successfully. To learn more about this issue and to resolve it, see Wildcard Certificate Causes Client Connectivity Issues for Outlook Anywhere. - Internet Explorer (Outlook Web Access)
- Exchange Edge Transport server (Domain Security)
Important: |
---|
Clients running Windows Mobile 5.0 do not support an encrypted channel to servers where wildcard names are used in the certificate. |
If a client that your organization supports does not support wildcard names in the server certificate, and you have multiple client namespaces to support, you must either
- Purchase a certificate that contains multiple names, such as
mail.contoso.com
,pop.contoso.com
, andmobile.contoso.com
in the SAN extension.
- Purchase a certificate for each entity in the namespace that a
client will connect to.
Planning for Your Organization's Namespace
All clients require a URL or a fully qualified domain name (FQDN) to connect to. Each path that clients connect to must be associated with a valid certificate that contains the host name, NetBIOS name, FQDN, or common name of the host that the client is connecting to. Determining the list of names to include on the certificate is the process of namespace planning.
Generally, namespace planning for large organizations that support many different clients and span multiple regions with multiple servers is more complex than namespace planning for smaller organizations.
You must understand certificate namespace planning so that you know which host names to include in the SAN extension of the certificate that you use to help secure inbound connections to Exchange 2007.
For more information, see Understanding Namespace Planning For Exchange Server 2007.
Where to Get Your Certificate
As previously mentioned, for external client access, we recommend purchasing a certificate from a public third-party CA.
As you evaluate certificate authorities, consider the following criteria:
- Does the CA allow wildcard names in the certificate? If your
clients can support wildcard names in the certificate, buying a
certificate from a CA that supports wildcard names is the simplest
method to deploy secured clients.
- Does the CA support the SAN extension? It may make sense to use
a certificate that supports multiple names in the SAN if the
following conditions are true:
- You must support clients that do not support wildcard names in
the certificate.
- You have more than a single host path that clients must connect
to.
- You must support clients that do not support wildcard names in
the certificate.
- Is the CA providing a high level of authenticity-checking? Some
CAs are very inexpensive. Other CAs cost hundreds of dollars a year
for a certificate. Because you rely on the integrity of this
certificate to authenticate inbound traffic to your organization,
we recommend that you not select a public CA by cost alone.
Carefully evaluate and compare the services that are provided by
each CA and the reputation of each CA before you decide.
Understanding Certificate Attributes and How Exchange 2007 Uses Them
Understanding the various attributes of certificates will help you understand how certificates are used by Exchange. This understanding, in turn, will help as you plan for certificate needs in your Exchange organization. This understanding will also help as you troubleshoot problems.
X.509 certificates have two types of attributes.
- Certificate fields are attributes within the signed data of the
X.509 certificate itself. These fields are integrity-protected by
the signature, and their value cannot be altered without re-signing
or reissuing the certificate.
- Certificate properties are attributes which are metadata of the
certificate or private key. Some properties are intrinsic to the
certificate or private key, such as the thumbprint of the
certificates. However, many properties can be altered without the
certificate being re-signed.
For example, the Enable-ExchangeCertificate cmdlet lets you add services to the properties of the certificates after they have been created. You can enable certificates for use by IIS, such as Outlook Web Access or Exchange ActiveSync, SMTP, such as direct trust or Domain Security, IMAP, POP, and Unified Messaging. Enabling a certificate for a particular service updates the certificate properties. For more information, see Enable-ExchangeCertificate.
You can view these attributes by running the
Get-ExchangeCertificate cmdlet with the |FL
argument on a given certificate. If you are running
Exchange 2007 RTM, you must run the cmdlet with the
|FL*
argument to display all the attribute data.
Some fields and properties specified in the Get-ExchangeCertificate cmdlet output map to X.509 extension fields that can be viewed by using Certificate Manager in Microsoft Management Console (MMC). For more information about Certificate Manager, see How to Add Certificate Manager to Microsoft Management Console. For more information about the Get-ExchangeCertificate cmdlet, see Get-ExchangeCertificate.
Certificate Fields
As explained earlier, certificate fields are attributes within the signed data of the X.509 certificate itself. This section explains the certificate fields that are used by Microsoft Exchange services and displayed in the output of the Get-ExchangeCertificate cmdlet.
Some of these fields are also parameters that you can set when you create a new certificate or a certificate request with the New-ExchangeCertificate cmdlet. For more information about the New-ExchangeCertificate cmdlet, see New-ExchangeCertificate.
Each certificate field in this section is listed according to the output of the Get-ExchangeCertificate cmdlet. Each Exchange certificate field name in this section maps to an X.509 certificate extension name.
Issuer
This field contains the common name that identifies the certificate issuer. Self-signed certificates created by Exchange during setup or by the New-ExchangeCertificate cmdlet display cn=hostname where hostname is the name of the local server.
Certificates that are issued by CAs usually display the full common name of the CA in the Issuer field.
The X.509 certificate extension name is also Issuer.
The Issuer field does not have a corresponding parameter that you can set in the New-ExchangeCertificate cmdlet. The Issuer field is specified by the entity that issues the certificate.
Subject
This field identifies the subject of the certificate. Subject is an X.500 string that usually represents a single name that is used to access the service that uses the certificate. When a certificate is created by the New-ExchangeCertificate cmdlet, if the subject is not explicitly provided, Subject will be the first value that is listed on the DomainName parameter when you run the New-ExchangeCertificate cmdlet. The following X.500 fields may be present:
- C = Country
- ST = State
- L = Location
- O = Organization
- OU = Organizational Unit
- CN = Common Name
Some of these fields are required when generating certificate requests for third-party CAs. For an in-depth explanation of the Subject field, see Creating a Certificate or Certificate Request for TLS.
If you are running Microsoft Internet Security and Acceleration (ISA) Server 2006 in front of Exchange for bridging, make sure that you read the blog post, Certificates with Multiple SAN Entries May Break ISA Server Web Publishing, for more information about subject names and ISA Server behavior.
Note: |
---|
The content of Wikis and blogs and their URLs are subject to change without notice. |
When Exchange generates a self-signed certificate without any user arguments, it creates a certificate that contains a subject name of CN=hostname.
The X.509 certificate extension name is also Subject.
You set the Subject field by specifying the SubjectName parameter in the New-ExchangeCertificate cmdlet.
CertificateDomains
The CertificateDomains field identifies all DNS
domain names associated with a certificate. DNS domain names can be
in either the common name (cn=
) attribute of the
Subject or in the SAN extension of a certificate. The output of
Get-ExchangeCertificate cmdlet displays the union of the
domain in the Subject field and any domains found in the
SAN.
The values found in the CertificateDomains field may include the host name or FQDN that are used to access the server. To use a certificate, the FQDN that a client uses to connect to the server must appear on the CertificateDomains field for the certificate.
For example, if a client is connecting to a server by using POP3 with mail.fourthcofee.com as the server name, the certificate associated with the POP3 settings may contain mail.fourthcofee.com on its CertificateDomains field.
You might also find certificates with wildcard names, such as *.fourthcofee.com. This is an acceptable domain. However, you should be aware that some legacy clients and mobile devices do not support wildcard names on a certificate and therefore may not support using wildcard domains.
Note: |
---|
The SAN field is not exposed through Exchange directly. You can view it only in Certificate Manager in MMC or through the Internet Information Services (IIS) Manager. Certificates bound to a Web site, such as those used by IIS for Outlook Web Access, Exchange ActiveSync, or Autodiscover, are also viewable in IIS Manager. |
For an in-depth explanation of how to use SANs and wildcard names in certificates, see Creating a Certificate or Certificate Request for TLS. Also, the Exchange Team Blog, Exchange 2007 lessons learned - generating a certificate with a 3rd party CA, contains practical advice on how to create a certificate request with multiple SANs.
Note: |
---|
The content of Wikis and blogs and their URLs are subject to change without notice. |
The X.509 certificate extension name is Subject Alternative Name but, as noted earlier, the output of Get-ExchangeCertificate cmdlet also adds the value that is contained in the Subject certificate extension to the list of names in the CertificateDomains field.
You set the CertificateDomains field by specifying the DomainName and Subject parameters of the New-ExchangeCertificate cmdlet.
NotBefore and NotAfter
The values in the NotBefore and NotAfter fields represent a date range in which the certificate is valid for use. If the current date falls after the NotAfter date, the certificate is considered expired. Microsoft Exchange can still use expired certificates, but clients will generate warnings and the server will log appropriate events into the event log.
The X.509 certificate extension name that maps to the NotBefore value is Valid from. The X.509 certificate extension name that maps to NotAfter is Valid to.
The NotBefore and NotAfter fields do not have corresponding parameters that you can set in the New-ExchangeCertificate cmdlet. These fields are defined by the entity that issues the certificate. Self-signed certificates that are generated by Exchange setup or by the New-ExchangeCertificate cmdlet are valid for one year.
CertificateRequest
This value is present only on certificates that are still in the request state. Certificate Requests are not valid X.509 Certificates and therefore will not be used by Exchange.
The CertificateRequest field is enabled by specifying the GenerateRequest parameter switch of the New-ExchangeCertificate cmdlet.
Certificate Properties
As explained earlier, certificate properties are attributes which are metadata of the certificate or private key. Some properties are intrinsic to the certificate or private key such as the thumbprint of the certificates but many properties can be altered without the certificate being re-signed.
Except for the Thumbprint property, no Exchange certificate properties correspond to an X.509 certificate extension.
This section explains the certificate properties.
IsSelfSigned
The IsSelfSigned property indicates whether a certificate is self-signed. A self-signed certificate is usually a root certificate. This is a certificate that has no other certificates in the certificate chain. The self-signed certificate in Exchange usually refers to the following kinds of certificate:
- A certificate that is generated when Exchange is installed on a
server where no qualifying certificate is present,
- A certificate that results from running the
New-ExchangeCertificate cmdlet.
When the Hub Transport, Edge Transport, Unified
Messaging, or Client Access server roles are installed, a
self-signed certificate is generated by Exchange Setup. If a valid
certificate exists in the Personal certificate store on the
host computer, the existing certificate will be used and the
self-signed certificate generated by Exchange Setup will not be
used. The valid values are True
or
False
.
RootCAType
The RootCAType property identifies the type of
CA that issued the certificate. If the IsSelfSigned
parameter is set to True
, the value of the
RootCAType property should be None
. Otherwise,
the certificate could cause unexpected results to occur in the
certificate selection process. Other possible values are as
follows:
Registry
An internal, private PKI root CA that has been manually installed in the certificate store.
ThirdParty
A public, third-party root CA.
GroupPolicy
An internal, private PKI root CA that has been deployed with Group Policy.
Enterprise
An internal, private PKI root CA that has been deployed with Active Directory.
Unknown
Exchange is unable to determine the type of certificate that is installed.
Understanding how the root CA certificate has been installed on a computer may help you diagnose inconsistent trust policies. Such inconsistencies may cause certificates to validate on some servers but not on other servers.
For example, a value of Registry
indicates
that someone has manually installed the certificate on one server.
This may cause inconsistencies if the certificate has not been
installed on other servers in the organization. We recommend
distributing certificates to all computers by using Group Policy or
Active Directory.
Services
The Services property identifies the services
with which this certificate can be used. The valid values are
SMTP
, POP
, IMAP
,
UM
, and IIS
.
You set the value in the Services field by specifying the Services parameter on the Enable-ExchangeCertificate cmdlet. For more information, see Enable-ExchangeCertificate.
Status
The Status property identifies whether the
certificate is valid. The Status field is very helpful when
you are troubleshooting certificate problems. If the Status
value for a given certificate is not Valid
, that
certificate will not be used by the Exchange server for any
services. Values for the Status property include the
following:
- Unknown This status generally indicates
that the status of the certificate cannot be verified because the
certificate revocation list (CRL) is unavailable or this server
cannot connect to it. Make sure that the computer can connect to
the Certificate Revocation Authority. For more information, see
How to Configure
Proxy Settings for WinHTTP.
- Valid The certificate is working
correctly.
- Revoked The CRL has indicated that this
certificate has been revoked. You must generate a new
certificate.
- DateInvalid This status indicates that
the system time is incorrect, the certificate has expired, or the
time of the system that signed the file is incorrect. Verify that
the following conditions are true:
- The local computer clock is accurate.
- The certificate has not expired.
- The sending system clock is accurate.
- The local computer clock is accurate.
- Untrusted This status indicates that
the certificate is not self-signed. However, it is signed by a CA
that is not trusted by the local computer. You must add the CA
certificate to the Trusted Root Certification Authorities store on
the computer. For more information about how to manually add
certificates to the local certificate store, see the Help file for
Certificate Manager in MMC.
- Invalid Some other issue has
invalidated this certificate, such as an untrusted, invalid, or
revoked certificate somewhere in the certificate path.
For more troubleshooting information, see the following topics:
HasPrivateKey
The HasPrivateKey property indicates whether the installed certificate has a private key. This is very important because the Microsoft Exchange Transport service, Microsoft Exchange POP3 service, and Microsoft Exchange IMAP4 service will not use a certificate that does not have a private key.
Thumbprint
The Thumbprint property is a unique string that
identifies the certificate. If the same certificate is installed on
multiple Exchange servers, you can identify them by their
thumbprint. The same certificate is usually installed on multiple
Exchange servers when multiple Edge Transport servers are accepting
mail with the same FQDN, such as
mail.fourthcoffee.com
. It’s much more cost efficient
to install the same certificate on multiple servers than to request
new certificates for each server. However, the certificate must
have an exportable private key.
The Thumbprint property is used to specify a certificate for the following cmdlets:
- Get-ExchangeCertificate
- Remove-ExchangeCertificate
- Export-ExchangeCertificate
- Enable-ExchangeCertificate
The X.509 certificate extension name that maps to the Thumbprint property is also Thumbprint.
Certificate Trust and Validation
To use a certificate for authentication, the certificate must be validated and trusted.
To validate a given X.509 certificate, you must trust the root CA that issued the certificate. A root CA is the most trusted CA. This is at the top of a CA. The root CA has a self-signed certificate. When you run an application that relies on certificate authentication, each certificate must have a certificate chain that ends in a certificate in the trusted root container of the local computer. The trusted root container contains certificates from root CAs.
A certificate is chained to a CA by another certificate. That certificate could also have been issued by a CA and therefore would be chained to it. This chaining of certificates is also known as the certification path. Every certificate in the certification path must be valid for the certificate to be valid. Also, the certificate at the top of the chain must be a trusted root CA.
There are two types of trusted root CAs that you can use to implement applications that rely on certificate authentication: third-party public root CAs and private root CAs.
Third-Party Public Root Certification Authorities
Windows, Windows Mobile, and various third-party operating systems include a set of built-in third-party public root CAs. If you trust the certificates issued by these third-party public root CAs, you can verify certificates issued by these CAs.
Trust is automatic if the following conditions are true:
- Your organization uses the default Windows installation,
- The client software and mobile devices used in your
organization also trust the built-in third-party public root
CAs,
In this case, additional trust configuration is not required.
Private Trusted Root Certification Authorities
A private trusted root CA is a root CA that has been deployed by a private or internal PKI. For example, when your organization has deployed an internal PKI with its own root certificate, you must make additional trust configurations.
Generally, it is not a best-practice to use certificates issued by a private PKI for client applications that support external connections into your organization.
When private root CAs are used, you must update the Windows Trusted Root certificate store on all devices, clients, and Windows operating systems where certificate authentication is required.
You can configure trust in two ways: direct root trust and cross-certification.
Direct Root Trust
If you want to trust a certificate that has been issued by a private root CA, you can manually add that root certificate to the Trusted Root certificate store on a computer that is running Windows. In some cases, you can add a root certificate to the trusted root store of mobile clients also. For more information about how to manually add certificates to the local certificate store on a computer that is running Windows, see the Help file for Certificate Manager in MMC. For more information about how to install certificates on Windows Mobile devices, see How to install root certificates on a Windows Mobile-based device.
Important: |
---|
You probably won't be able to install certificates on all computers and devices that users will use to access Exchange. For example, some users may try to access Outlook Web Access from a kiosk or from a friend's computer. In this scenario, users receive a warning but are not prevented from accessing their mail. Because this behavior, in effect, trains users to ignore certificate warnings, it is not a best practice. Therefore, using certificates issued from trusted third-party CAs is a best practice. |
Cross-Certification
Cross-certification occurs when one CA signs a certificate that is generated by another CA. Cross-certification is used to build trust from one PKI with another PKI. If you have your own PKI, instead of using direct manual trust for a root CA of another private PKI, you can create a cross-certificate for the other CA under your root CA. In this case, trust is established because the cross-certificate ultimately chains back to your trusted root CA.
Configuring Access to the Certificate Revocation List
When a specific service, such as the Microsoft Exchange Transport service in the SMTP/TLS scenario or IIS in the HTTPS scenario, retrieves a certificate, the service validates the certificate chain and validates the certificate. Validation of the certificate is a process in which many attributes of the certificate are confirmed. Most of these attributes can be confirmed on the local computer by the application that requests the certificate. For example, the intended use of the certificate, the expiration dates on the certificate, and similar attributes are verifiable outside the context of a PKI. However, verification that the certificate has not been revoked must be validated with the CA that issued the certificate. Therefore, most CAs make a certificate revocation list (CRL) available to the public to validate the revocation status.
To successfully authenticate with certificates, CRLs for CAs that you use must be available to the services that are authenticating the client. If the revocation check fails, the authenticating service will fail.
Your authenticating servers must be able to access CRLs for external CAs.
All public CAs have publicly available CRLs that your organization's servers can contact. In some cases, CRLs for private, internal PKIs are available only with Lightweight Directory Access Protocol (LDAP). In most cases, with public CAs, CRLs are published by using HTTP. Make sure that the appropriate outbound ports and proxies are configured to let your servers and clients to contact the CRL. You can determine which protocol a given CRL distribution point accepts by opening a certificate in MMC and viewing the CRL Distribution Points field.
In some cases, you may have to make the CRL for the CA that issues your certificates publicly available. For example, if you are deploying Domain Security, you must understand that even when an Edge Transport server retrieves a certificate from your own organization, it validates the certificate chain to validate the certificate. Therefore, the CRL for your CA must be available to your own Edge Transport servers. In addition, all partners that you exchange domain-secured e-mail with must be able to access the CRL for the CA that issues your certificates.
Configuring Proxy Settings for WinHTTP
Exchange 2007 servers rely on the underlying Windows HTTP Services (WinHTTP) to manage all HTTP and HTTPS traffic. For example, both Hub Transport servers and Edge Transport servers may use HTTP to access updates for Exchange 2007 Standard Anti-spam Filter Updates and the Microsoft Forefront Security for Exchange Server anti-spam update service. All Exchange server roles will use WinHTTP to enable CRL validation.
For more information, see How to Configure Proxy Settings for WinHTTP.
Testing the PKI and Proxy Configuration
To verify your PKI and proxy configuration for a specific Exchange server, use Certutil.exe to verify the certificate chain for the server certificate. Certutil.exe is a command-line tool that is installed as part of Certificate Services in Windows Server operating systems. For more information, see How to Test PKI and Proxy Configuration.
Creating, Importing, and Enabling Certificates
There are several ways to obtain a certificate that is installed and operational on Exchange 2007. Your choice of method depends on your needs. Exchange 2007 generates a set of self-signed certificates to enable the default configuration to be secured. This should be renewed over time to help ensure security of the system. Exchange does not automatically generate requests for signing by certificate authorities. Whether you want to create a new self-signed certificate or a certificate request for a certification authority, both methods use the same cmdlet.
This section provides an overview of the operations that you can perform on certificates that are used by Exchange 2007. Read this section if you are not familiar with the ExchangeCertificate cmdlets. Application-specific examples and procedures are provided later in this document, using POP3 as an example. This section also provides links to application-specific documentation.
Certificate Cmdlets
In earlier versions of Exchange Server, all certificate management was done through IIS and Certificate Manager in MMC. In Exchange 2007, you perform most certificate management tasks that relate to Exchange by using the following ExchangeCertificate cmdlets with the Exchange Management Shell:
- New-ExchangeCertificate This
cmdlet generates self-signed certificates and certificate requests
for certification authorities.
- Import-ExchangeCertificate This
cmdlet imports certificates that have been previously exported and
imports certificate files generated by CAs.
- Export-ExchangeCertificate The
cmdlet exports certificates for backup or for use on multiple
servers.
- Enable-ExchangeCertificate This
cmdlet enables specific services on a certificate.
- Get-ExchangeCertificate This
cmdlet displays the attributes of a certificate.
- Remove-ExchangeCertificate This
cmdlet removes certificates from Exchange Server and the local
certificate store.
For more information about how to create certificate requests for certification authorities, see Creating a Certificate or Certificate Request for TLS.
The following sections provide short examples to illustrate how you can use the ExchangeCertificate cmdlets to perform common certificate tasks. For more information and examples, see the ExchangeCertificate cmdlet Help under Global Cmdlets.
Generating Self-Signed Certificates
To generate a self-signed certificate for use by the
SMTP service for a server that has the host name of
Server1
and a domain of fourthcoffee.com
,
run the following command:
Copy Code | |
---|---|
New-ExchangeCertificate -DomainName "server1.fourthcoffee.com", "server1" -Services "SMTP" |
Cloning Self-Signed Certificates
If an existing self-signed certificate has to be renewed, you can clone it by running the following command:
Copy Code | |
---|---|
Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate |
The thumbprint placeholder is the thumbprint of the certificate to be renewed. The services for the new certificate can also be specified in the command as follows:
Copy Code | |
---|---|
Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate -Services SMTP,POP,IMAP |
You can then enable this certificate by running the following command:
Copy Code | |
---|---|
Enable-ExchangeCertificate <thumbprint> |
Creating Certificate Requests and Installing Trusted Certificates
Installing a public, third-party certificate is a more complex process. You must generate a certificate request, import the issued certificate and all the necessary CA certificates, and then enable the issued certificate for its intended use or uses.
This section provides an example of how to enable the
POP3 service for certificate use. In this example, clients connect
to the POP3 service by connecting to the FQDN,
popserver.fourthcoffee.com
.
Certificate Request
Because the resulting certificate comes from a public, third-party CA, you must first generate a certificate request by running the following command:
Copy Code | |
---|---|
New-ExchangeCertificate -DomainName popserver.fourthcoffee.com -SubjectName "c=us,o=contoso corp, cn=popserver.fourthcoffee.com" -PrivateKeyExportable:$True -GenerateRequest:$True -Path "C:\CertRequest.req" |
If the certificate request is correctly generated, a certificate request file (.cer or .der) will be created in the root of the system drive and the Exchange Management Shell will display a Thumbprint for the request.
Note: |
---|
Certificates returned by providers will support different extensions for the certificate request file, such as .der or .cer. These extensions represent the encoding method that is used on the certificate file. By default, the New-ExchangeCertificate request will create a Base64-encoded file (.cer). Use the BinaryEncoded parameter switch to create a .der file. |
In the previous command, the
PrivateKeyExportable parameter is set to $True
so that this certificate can be exported together with the private
key for use on multiple Exchange servers that may have to be
accessed by using the same FQDN. For example, multiple Client
Access servers may be load-balanced to support POP3
connections.
Note: |
---|
The PrivateKeyExportable parameter is optional. You
should specify it only when you generate certificate requests for
trusted CAs. By setting the PrivateKeyExportable parameter
to $True , you can move and archive the certificate and
the associated keys. You do not have to do this with self-signed
certificates. |
The previous command also specifies the Subjectname parameter as an X.500 name. Most third-party CAs require that you specify a valid X.500 name for the Subject name of the certificate. At a minimum, most CAs require that the organization listed in the organizationName (o=) field owns the domain name that appears in commonName (cn=) of the Web server.
After the request is completed, the request file can be submitted to a certificate vendor to obtain a certificate.
Note: |
---|
The Get-ExchangeCertificate cmdlet returns certificates and also certificates that are still pending requests. To differentiate between the two, certificate requests contain a CertificateRequest attribute that displays the output that is stored in the certificate request file. This output may be useful if you accidentally delete the certificate request file or generate the request without the parameter. The CertificateRequest data is base64-encoded and can be copied into a file and sent to your CA for a certificate request. |
Importing a Certificate
After a certificate is returned from a CA, you must import it to the Exchange server. To correctly import a certificate for which a request was generated by using the New-ExchangeCertificate cmdlet, run the following command:
Copy Code | |
---|---|
Import-ExchangeCertificate -Path "C:\CertificateFile.cer" |
If the certificate is successfully imported, this command will return a certificate thumbprint that you can use to enable specific services.
Important: |
---|
You must import the certificate onto the same computer where the certificate request was generated. Also, do not use Certificate Manager in MMC to import Exchange certificates. |
Enabling a Certificate
Enabling a certificate lets you specify which services can use a specific certificate. The following command enables the issued certificate for the POP3 service:
Copy Code | |
---|---|
Enable-ExchangeCertificate <thumprint> -Services:"POP" |
You can import and enable a certificate at the same time by running the following command:
Copy Code | |
---|---|
Import-ExchangeCertificate -Path "C:\CertificateFile.cer" | Enable-ExchangeCertificate -Services:"POP" |
Validating Certificate Installation
To confirm that all required steps have been completed and the certificate is installed and operational, run the following command:
Copy Code | |
---|---|
Get- ExchangeCertificate <thumbprint> | fl * |
Note: |
---|
If you are running Exchange 2007 SP1 or later versions, do
not include the asterisk (* ) on the command
argument. |
The output of this command returns data similar to the following:
Copy Code | |
---|---|
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule,System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {popserver.fourthcoffee.com, fourthcoffee.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=3rdPartyCAExample.com NotAfter : 8/7/2008 10:04:02 AM NotBefore : 8/7/2007 10:04:02 AM PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 83FAE8B2398F2A9E44485CBA85D548DF Services : POP Status : Valid Subject : C=us,o=contoso corp, CN=fourthcoffee.com Thumbprint : 257C327A164ED8A6FCDAFCA7789D29B60369DCA7 |
Inspect the output of this command to validate that the following information is true:
- The domain names that you expect to be present are listed in
the CertificateDomains field.
- The HasPrivateKey property is set to
True
.
- The RootCAType property is set correctly. For more
information about the RootCAType property, see Certificate Properties earlier in this
document.
- The required services are enabled for the certificate.
- The Status is set to
Valid
.
Certificate Services
Services, such as POP, IMAP, IIS, and SMTP, can be enabled on a certificate. Services are not fields in the certificate itself. They are metadata properties of the certificates. Therefore, you can change them without invalidating the certificate.
When services are enabled, configuration changes occur on other components, such as in the IIS Metabase, the file system, or on the IMAP4 and POP3 settings. This section describes the configuration changes that occur when you enable a given service by running the Enable-ExchangeCertificate cmdlet.
POP and IMAP
When POP and IMAP are added as additional services to a certificate, the x509CertificateName attribute on the POPSettings object or IMAPSettings object is updated to include the domain in the subject of the certificate.
For example, to verify that the POPSettings object has been updated, run the following command
Copy Code | |
---|---|
Get-POPSettings | fl * |
Note: |
---|
If you are running Exchange 2007 SP1 or later versions, do
not include the asterisk (* ) on the command
argument. |
IIS
When IIS is enabled, the default IIS Web site is updated to use this specific certificate.
You can enable a certificate for IIS by using the Enable-ExchangeCertificate cmdlet for the default IIS Web site only. If you are hosting Outlook Web Access or Autodiscover on Web sites other than the default IIS Web site, you must use IIS Manager to associate a specific certificate with those Web sites.
SMTP
When the SMTP service is enabled on a certificate, the Network Service account is granted Read access to the appropriate private key file in the Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory. This action provides the permission required for the Microsoft Exchange Transport service to access and use the private key to decrypt messages that are secured by TLS.
Microsoft Exchange Unified Messaging Service
When the Microsoft Exchange Unified Messaging service is enabled on a certificate, the certificate property is updated to include Unified Messaging. The certificate is used when the following conditions are true:
- The Unified Messaging server role is installed on the
computer.
- The certificate contains the physical FQDN of the local
computer in the CertificateDomains certificate field.
Certificate Selection
Certificate selection is a process that Exchange components perform to determine which certificate should be used for an incoming connection. SMTP STARTTLS, POP3, and IMAP4 all perform a similar selection process to determine which certificate to use for a particular session. This process is fairly deterministic. However, it can be confusing, especially when more than one certificate is installed on the computer.
This section describes the certification selection process for SMTP STARTTLS, SMTP X-AnonymousTLS, POP3, and IMAP4. For more information about transport-specific certificate selection, see SMTP TLS Certificate Selection.
SMTP STARTTLS
STARTTLS is the SMTP verb that initiates a secure TLS session. STARTTLS is only advertised by Exchange if a valid certificate exists on the computer that is running Exchange.
To advertise or use STARTTLS, Exchange selects a certificate based on the FQDN and a matching value in the CertificateDomains field of a certificate. The FQDN is based on the following information:
- Outbound STARTTLS The certificate is
selected based on the value of FQDN on a Send connector.
- Inbound STARTTLS The certificate is
selected is based on the value of FQDN on a Receive connector.
Note: For outbound STARTTLS and inbound STARTTLS, if the FQDN of the connector is not specified, the physical FQDN of the Exchange server is used for the match.
After the FQDN is determined, Exchange searches Personal certificate store on the host computer for all valid certificates. A certificate is valid for TLS use if it meets all the following requirements:
- The Enhanced Key Usage field contains either the Server
Authentication object identifier (also known as OID) or is
null.
- The PKI certificate extension lists an RSA key with a minimum
of 1024 bits.
- The certificate validates the certificate chain up to a trusted
root, or the certificate is self-signed.
- The certificate and certificate chain passes the revocation
check.
- The private key is present and available.
- The private key is not stored in a removable device.
- The private key is not protected with a password.
If more than one valid certificate is found, Exchange selects a certificate based on the following criteria:
- The value in the NotBefore
field Exchange selects the newest valid
certificate.
- Certificates issued by a trusted CA vs. self-signed
certificates Exchange selects certificates
issued by a trusted CA over self-signed certificates.
In most cases, Exchange selects a certificate issued by a trusted CA over a self-signed certificate regardless of the age of the certificate. If a valid certificate is not found, STARTTLS is not advertised.
SMTP X-AnonymousTLS
X-AnonymousTLS is used to help secure communication between two Hub Transport servers and between Hub Transport servers and Edge Transport servers. In Exchange 2007 SP1, the certificate selection process has been simplified so that if no certificate is found, a temporary encryption key is generated for the session.
Exchange searches for an internal transport certificate. If a valid internal transport certificate cannot be found, Exchange searches for a valid CA certificate.
Therefore, for Hub-to-Hub communication where the Kerberos protocol is used for authentication, the absence of a valid internal transport certificate does not fail the SMTP session. The SMTP session is encrypted by using the temporary encryption key. In this case, an event is logged and you must create a new internal transport certificate by running the New-ExchangeCertificate cmdlet without arguments on the computer that is generating the event.
For Hub-to-Edge communication, where the Edge Transport server is subscribed to the organization, if a valid internal transport certificate is not found, the session fails and an error is logged. In this case, you must run the New-ExchangeCertificate cmdlet without arguments on the computer that generates the event and then run the Microsoft Exchange EdgeSync service again.
POP3 and IMAP4
As with the certificate selection process for SMTP STARTTLS, in the process for POP3 and IMAP4, Exchange must select a FQDN and find a certificate based on a matching value in the CertificateDomains field. The FQDN is chosen on the basis of the X509CertificateName attribute in the POP3 or IMAP4 service settings. You can view the X509CertificateName attribute by running the Get-POPSettings cmdlet or the Get-IMAPSettings cmdlet. For more information, see Get-POPSettings and Get-IMAPSettings.
The selection process for POP3 and IMAP4 in Exchange 2007 SP1 is the same as the process for SMTP STARTTLS.
Note: |
---|
In Exchange 2007 RTM, there are two major exceptions in
the certificate selection processes for POP3 and IMAP4.
Certificates issued by a trusted CA are not preferred over
self-signed certificates. Instead, Exchange 2007 selects the
newest certificate. Also, in Exchange 2007 RTM, POP3 and IMAP4
do not support wildcard domains on certificates. This means that if
the X509CertificateName attribute is set to
mail.fourthcoffee.com for either the POP3 settings or
IMAP4 settings, Exchange 2007 will not support a certificate
that only contains *.fourthcoffee.com as a certificate
domain. |
Unified Messaging
If the Microsoft Exchange Unified Messaging service is started in Secured mode, it will query the local Personal certificate store to find a valid certificate to use for TLS to enable encryption. The Microsoft Exchange Unified Messaging service will first look for a valid certificate that has been issued by a private PKI or a public CA. If an appropriate certificate is not found, it will look for a self-signed certificate. If no PKI, public, or self-signed certificate is found, the Microsoft Exchange Unified Messaging service creates a self-signed certificate to use to start in Secure mode. If the UM server is starting in Unsecured mode, no certificate is needed.
All the details of the certificate that is used to start in Secured mode are logged whenever a certificate is used or if the certificate has changed. Some details that are logged include the following:
- Issuer Name
- Serial Number
- Thumbprint
The thumbprint is the Secure Hash Algorithm (SHA1) hash. It can be used to uniquely identify the certificate that is used. You can export the certificate that is used by the Microsoft Exchange Unified Messaging service to start in Secured mode from the local certificate store and import this certificate onto the Unified Messaging IP gateways and IP PBXs on your network into the trusted certificate store.
After an appropriate certificate has been found and used, the Microsoft Exchange Unified Messaging service logs an event one month before the certificate that is being used expires. If you do not make any changes to the certificate during this time, the Microsoft Exchange Unified Messaging service logs an event each day until the certificate expires and each day after the certificate has expired.
When the Unified Messaging server looks for a certificate to use for mutual TLS to establish an encrypted channel, it looks in the trusted root certificate store. If there are multiple certificates that are valid and from different issuers, the Unified Messaging server selects the valid certificate that has the longest time remaining before expiration. If multiple certificates exist, the Unified Messaging server selects the certificates based on the issuer and the date that the certificate will expire. The Unified Messaging server looks for a valid certificate in the following order of preference:
- PKI or public certificate with the longest expiration
period.
- PKI or commercial certificate with the shortest expiration
period.
- Self-signed certificate with the longest expiration period.
- Self-signed certificate with the shortest expiration
period.
For More Information
The following documentation has been referenced in this topic:
- Certificates with Multiple SAN Entries May Break
ISA Server Web Publishing
- Creating a
Certificate or Certificate Request for TLS
- Creating a
Certificate or Certificate Request for TLS
- Data Path
Security Reference
- Enable-ExchangeCertificate
- Exchange 2007 lessons learned - generating a
certificate with a 3rd party CA
- Export-ExchangeCertificate
- Get-ExchangeCertificate
- Get-IMAPSettings
- Get-POPSettings
- How to Add
Certificate Manager to Microsoft Management Console
- How to
Configure Proxy Settings for WinHTTP
- How to Test
PKI and Proxy Configuration
- Import-ExchangeCertificate
- Lessons Learned: Generating a Certificate with a
3rd Party CA
- Managing
Client Access Security
- Managing
POP3 and IMAP4 Security
- New-ExchangeCertificate
- Remove-ExchangeCertificate
- SMTP TLS
Certificate Selection
- TLS
Functionality and Related Terminology in Exchange 2007
- Understanding the
EdgeSync Synchronization Process
- Understanding Namespace
Planning For Exchange Server 2007
- Understanding Unified
Messaging VoIP Security
- Unified Communications Certificate Partners for
Exchange 2007 and for Communications Server 2007
- White Paper: Exchange 2007 Autodiscover
Service