Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-05-19

Microsoft Exchange Server 2007 uses certificates to help secure many paths of e-mail communication. This topic is designed as an end-to-end introduction to certificate use in Exchange 2007. This topic explains the following:

  • How certificates are used in Exchange 2007.

  • How to determine whether you should purchase a certificate issued from a third-party public certification authority (CA) and when the default, self-signed certificate is sufficient.

  • How certificate attributes are used by Exchange 2007 components and how the certificate properties relate to the X.509 certificate extension fields.

  • Certificate trust and validation.

  • How to create, import, and enable Exchange 2007 certificates.

  • How Exchange components select certificates from the Personal computer store.

Each section in this topic contains references and links to certificate-related documentation for Exchange 2007.

Acknowledgement   Most of this content was adapted from Microsoft-internal notes and documentation collected and provided by Stuart Presley, Support Engineer.

Table of Contents

Exchange 2007 Components That Use Certificates to Encrypt or Authenticate Sessions

Exchange 2007 uses X.509 certificates to negotiate secure Transport Layer Security (TLS) and Secure Sockets Layer (SSL) transport channels of communication for protocols, such as HTTPS, SMTP, and POP and IMAP.

TLS is the Internet Engineering Task Force (IETF) standard protocol that helps provide communications privacy and security between two applications that communicate over a network. TLS encrypts communications and enables clients to authenticate servers and, optionally, servers to authenticate clients. TLS is a more secure version of the SSL protocol on which TLS is based. SSL was developed earlier by Netscape. Both protocols are functionally equivalent. And most implementations support both protocols for backward capability with older SSL-only clients.

TLS-secured communication can be used for confidentiality (encryption) only or for both confidentiality and authentication. X.509 certificates can be self-signed, also known as self-issued, or issued by an X.509 CA. An X.509 CA is either a third-party public certification authority that issues certificates or a public key infrastructure (PKI) that is deployed within your organization. Unless otherwise noted specifically, this topic refers to both solutions as certification authorities (CA). Third-party public CAs are known as public CAs.

The following Exchange 2007 components use certificates to encrypt or authenticate sessions:

  • SMTP   Certificates are used for encryption and authentication for Domain Security between partner organizations. Certificates are used for direct trust connections between Hub Transport servers and Edge Transport servers. Certificates are used between Hub Transport servers to encrypt the SMTP session. In Exchange 2007, direct trust is the authentication functionality for which the presence of the certificate in the Active Directory directory service or Active Directory Application Mode (ADAM) directory service validates the certificate. Active Directory is considered a trusted storage mechanism. Certificates are also used for opportunistic TLS sessions between organizations. For more information, see TLS Functionality and Related Terminology in Exchange 2007.

  • EdgeSync synchronization   A self-signed certificate created by Exchange 2007 is used to encrypt the LDAP communication session between the ADAM instance on the Edge Transport servers and the internal Active Directory servers after the Microsoft Exchange EdgeSync service has replicated data from Active Directory to the ADAM instance on the Edge Transport server. A self-signed certificate is a certificate that is signed by its own creator. The Microsoft Exchange EdgeSync service is the data synchronization service that periodically replicates configuration data from Active Directory to a subscribed Edge Transport server. For more information, see Understanding the EdgeSync Synchronization Process.

  • POP3 and IMAP4   Certificates are used to authenticate and encrypt the session between Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) clients and Exchange servers. For more information, see Managing POP3 and IMAP4 Security.

  • Unified Messaging   Certificates are used to encrypt the SMTP session to Hub Transport servers and to the Unified Messaging (UM) IP gateway and Microsoft Office Communications Server 2007. For more information, see Understanding Unified Messaging VoIP Security.

  • Autodiscover   Certificates are used to encrypt the HTTP path between the client and the Client Access server. For more information, see White Paper: Exchange 2007 Autodiscover Service.

  • Client Access applications   Certificates are used to encrypt the path between the Client Access server and various HTTP clients, such as, Outlook Anywhere, Microsoft Outlook Web Access, and devices that support Microsoft Exchange ActiveSync. For more information, see Managing Client Access Security.

For more specific information about how each data path in Exchange 2007 is encrypted and authenticated, see Data Path Security Reference.

Return to top

How to Determine When to Use Certificates Issued by Public CAs and When to Use Self-Signed Certificates

This purpose of this section is to provide a quick explanation of how Exchange 2007 uses certificates. After you have read this section, you should understand, based on the Exchange components that you have enabled and the clients you want to support, what kind of certificates you must purchase from a public CA. This section also provides the general context for the more technical content that follows.

It's important to understand that, because this section is intended to let you quickly determine your overall certificate needs with regard to public CAs, the section is necessarily brief. For brevity, many generalizations about certificates and related technologies are made to illustrate certificate use in Exchange 2007. If you do not understand concepts in this section, make sure that you read the rest of this topic and the referenced documentation.

Generally, any Exchange 2007 component that uses Kerberos, Direct Trust, or NTLM authentication can use a self-signed certificate for encryption. In this topic, such components are referred to as internal Exchange 2007 components. Internal refers to the fact that the data paths are between Exchange 2007 servers and within the corporate network that is defined by Active Directory.

We recommend that you deploy a certificate issued by a public CA whenever your users are access Exchange components that require authentication and encryption from outside your corporate firewall. For example, all the various clients that the Client Access server role supports, such as Exchange ActiveSync, POP3, IMAP4, and Outlook Anywhere, should be secured with a certificate that is issued by a public CA. In this topic, such components are referred to as external Exchange 2007 components. External refers to the fact that the data paths between the clients and the Exchange 2007 servers traverse the corporate firewall and extend into the Internet.

Internal Components Use Self-Signed Certificates

As mentioned earlier, many components in Exchange 2007 use certificates. Generally, all internal Exchange data paths that are secured by certificates do not require a certificate issued by a public CA.

All internal SMTP and UM traffic is secured by self-signed certificates that are installed when you run Exchange 2007 Server Setup. Although you should renew these certificates yearly by using the New-ExchangeCertificate cmdlet, you do not have to have a certificate issued by a public CA to run the default internal Exchange messaging components.

Note:
Self-signed certificates that are created by Exchange expire in one year. The internal components that rely on the default self-signed certificates continue to operate even if the self-signed certificate has expired. However, when the self-signed certificate has expired, events are logged in Event Viewer. It is a best practice to renew the self-signed certificates before they expire.

Exchange 2007 includes a set of cmdlets to create, request, and manage TLS certificates. For more information about these cmdlets, see Certificate Cmdlets later in this topic. By default, these certificates are self-signed. As explained earlier in this topic, a self-signed certificate is a certificate that is signed by its own creator. In Exchange 2007, the self-signed certificate is created by the computer that is running Microsoft Exchange by using the underlying Windows Certificate API (CAPI). Because the certificates are self-signed, the resulting certificates are generally less trustworthy than certificates that are generated by a CA. Therefore, we recommend that you use self-signed certificates only for the following internal scenarios:

  • SMTP sessions between Hub Transport servers: A certificate is used only for encryption of the SMTP session. Authentication is provided by the Kerberos protocol.

  • SMTP sessions between Hub Transport servers and an Edge Transport server: A certificate is used for encryption of the STMP session and for direct trust authentication.

  • EdgeSync synchronization between Edge Transport servers and Active Directory: A certificate is used to encrypt the LDAP communication session between the ADAM instance on the Edge Transport servers and the internal Active Directory servers after the Microsoft Exchange EdgeSync service has replicated data from Active Directory to the ADAM instance on the Edge Transport server.

  • Unified Messaging communication: A certificate is used for encrypting Session Initiation Protocol (SIP) and Realtime Transport Protocol (RTP) traffic between UM servers and UM IP gateways, IP Private Branch eXchanges (PBXs), and computers that are running Office Communications Server 2007. The certificate is also used for encrypting SMTP traffic when voice mail or fax messages are submitted from UM servers to Hub Transport servers.

  • A Client Access server that is accessed only by internal clients.

External Client Access to Exchange Requires Certificates Issued by a Public CA

Internal Exchange components can rely on self-signed certificates because the certificates are not used for authentication. Authentication for most Exchange components is provided by Kerberos or NTLM. In communication between an Edge Transport server and a Hub Transport server, direct trust authentication is used. This is provided by a certificate and the fact that the Edge Transport server's public key is stored in Active Directory, which is a trusted store. Otherwise, self-signed certificates are used to provide an ephemeral key to encrypt data paths between Exchange components.

However, for external client access from the Internet into the network where Exchange is hosted, traditional certificate trust validation is required. It is a best practice to use a certificate issued by a public CA for trust validation. In fact, when certificate authentication is required, using a self-signed certificate is not a best practice and is strongly discouraged. We recommend that you use a certificate from a public CA for the following:

  • POP3 and IMAP4 client access to Exchange

  • Outlook Web Access

  • Outlook Anywhere

  • Exchange ActiveSync

  • Autodiscover

  • Domain Security

The best practice for all these is to use a public CA that is trusted by all clients by default.

Use the New-ExchangeCertificate cmdlet to generate a certificate request according to the specifications of the third-party public CA that will issue your certificate

For more information, see the following topics:

The rest of this section provides information about how to determine the type of public certificate that you must purchase and whether you must purchase multiple certificates to help secure the clients that your organization uses to access Exchange 2007.

Determining the Type and Number of Public CA-Issued Certificates for Your Deployment

Selecting the appropriate public CA-issued certificate for your organization depends on the following factors:

  • Client support of wildcard names in certificates   Ask yourself: What clients will I support? As mentioned earlier, "clients" in this context refer to clients that access Exchange from the Internet.

  • Your organization's namespace   How is your Internet-facing Internet Information Services (IIS) namespace configured?

  • Source of your certificate   Where will you obtain your certificate? Does the public CA you select support using wildcard characters in the Subject or Subject Alternative Name (SAN) fields? If not, does it support using SANs?

The following sections examine these factors more closely.

Client Support of Wildcard Names in Certificates

Wildcard names may be used in the Subject or SAN extensions of X.509 certificates. For more information about wildcard names, see "CertificateDomains" in Understanding Certificate Attributes and How Exchange 2007 Uses Them later in this topic.

After you have determined which clients your organization will support, it is helpful to determine whether the clients support certificates where wildcard names are used in the server certificate that the client is connecting to.

If your client supports using wildcard names in the certificate, the overall certificate planning for your organization is greatly simplified. If all your clients support wildcard names in certificates and your organization uses a single domain name, you do not have to consider namespace planning for your certificate deployment strategy. Instead, you can create a single certificate that supports your namespace with a wildcard character. For example, if clients that are running Outlook Web Access use mail.contoso.com/owa to access their mail, and POP3 clients use pop.contoso.com to access their mail, a single certificate with a wildcard Subject of *.contoso.com will support both clients.

The following Microsoft clients support wildcard names in certificates:

  • Outlook

    Note:
    When wildcard certificates are deployed across Exchange servers that are running the Client Access role, Autodiscover settings require some configuring to allow Outlook 2007 clients to connect successfully. To learn more about this issue and to resolve it, see Wildcard Certificate Causes Client Connectivity Issues for Outlook Anywhere.
  • Internet Explorer (Outlook Web Access)

  • Exchange Edge Transport server (Domain Security)

Important:
Clients running Windows Mobile 5.0 do not support an encrypted channel to servers where wildcard names are used in the certificate.

If a client that your organization supports does not support wildcard names in the server certificate, and you have multiple client namespaces to support, you must either

  1. Purchase a certificate that contains multiple names, such as mail.contoso.com, pop.contoso.com, and mobile.contoso.com in the SAN extension.

  2. Purchase a certificate for each entity in the namespace that a client will connect to.

Planning for Your Organization's Namespace

All clients require a URL or a fully qualified domain name (FQDN) to connect to. Each path that clients connect to must be associated with a valid certificate that contains the host name, NetBIOS name, FQDN, or common name of the host that the client is connecting to. Determining the list of names to include on the certificate is the process of namespace planning.

Generally, namespace planning for large organizations that support many different clients and span multiple regions with multiple servers is more complex than namespace planning for smaller organizations.

You must understand certificate namespace planning so that you know which host names to include in the SAN extension of the certificate that you use to help secure inbound connections to Exchange 2007.

For more information, see Understanding Namespace Planning For Exchange Server 2007.

Where to Get Your Certificate

As previously mentioned, for external client access, we recommend purchasing a certificate from a public third-party CA.

As you evaluate certificate authorities, consider the following criteria:

  • Does the CA allow wildcard names in the certificate? If your clients can support wildcard names in the certificate, buying a certificate from a CA that supports wildcard names is the simplest method to deploy secured clients.

  • Does the CA support the SAN extension? It may make sense to use a certificate that supports multiple names in the SAN if the following conditions are true:

    • You must support clients that do not support wildcard names in the certificate.

    • You have more than a single host path that clients must connect to.

    Microsoft is partnering with public CAs to provide a Unified Communications certificate. For an up-to-date list of CAs that support Unified Communications certificates, see Microsoft Knowledge Base article 929395, Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007.

  • Is the CA providing a high level of authenticity-checking? Some CAs are very inexpensive. Other CAs cost hundreds of dollars a year for a certificate. Because you rely on the integrity of this certificate to authenticate inbound traffic to your organization, we recommend that you not select a public CA by cost alone. Carefully evaluate and compare the services that are provided by each CA and the reputation of each CA before you decide.

Return to top

Understanding Certificate Attributes and How Exchange 2007 Uses Them

Understanding the various attributes of certificates will help you understand how certificates are used by Exchange. This understanding, in turn, will help as you plan for certificate needs in your Exchange organization. This understanding will also help as you troubleshoot problems.

X.509 certificates have two types of attributes.

  • Certificate fields are attributes within the signed data of the X.509 certificate itself. These fields are integrity-protected by the signature, and their value cannot be altered without re-signing or reissuing the certificate.

  • Certificate properties are attributes which are metadata of the certificate or private key. Some properties are intrinsic to the certificate or private key, such as the thumbprint of the certificates. However, many properties can be altered without the certificate being re-signed.

    For example, the Enable-ExchangeCertificate cmdlet lets you add services to the properties of the certificates after they have been created. You can enable certificates for use by IIS, such as Outlook Web Access or Exchange ActiveSync, SMTP, such as direct trust or Domain Security, IMAP, POP, and Unified Messaging. Enabling a certificate for a particular service updates the certificate properties. For more information, see Enable-ExchangeCertificate.

You can view these attributes by running the Get-ExchangeCertificate cmdlet with the |FL argument on a given certificate. If you are running Exchange 2007 RTM, you must run the cmdlet with the |FL* argument to display all the attribute data.

Some fields and properties specified in the Get-ExchangeCertificate cmdlet output map to X.509 extension fields that can be viewed by using Certificate Manager in Microsoft Management Console (MMC). For more information about Certificate Manager, see How to Add Certificate Manager to Microsoft Management Console. For more information about the Get-ExchangeCertificate cmdlet, see Get-ExchangeCertificate.

Certificate Fields

As explained earlier, certificate fields are attributes within the signed data of the X.509 certificate itself. This section explains the certificate fields that are used by Microsoft Exchange services and displayed in the output of the Get-ExchangeCertificate cmdlet.

Some of these fields are also parameters that you can set when you create a new certificate or a certificate request with the New-ExchangeCertificate cmdlet. For more information about the New-ExchangeCertificate cmdlet, see New-ExchangeCertificate.

Each certificate field in this section is listed according to the output of the Get-ExchangeCertificate cmdlet. Each Exchange certificate field name in this section maps to an X.509 certificate extension name.

Issuer

This field contains the common name that identifies the certificate issuer. Self-signed certificates created by Exchange during setup or by the New-ExchangeCertificate cmdlet display cn=hostname where hostname is the name of the local server.

Certificates that are issued by CAs usually display the full common name of the CA in the Issuer field.

The X.509 certificate extension name is also Issuer.

The Issuer field does not have a corresponding parameter that you can set in the New-ExchangeCertificate cmdlet. The Issuer field is specified by the entity that issues the certificate.

Subject

This field identifies the subject of the certificate. Subject is an X.500 string that usually represents a single name that is used to access the service that uses the certificate. When a certificate is created by the New-ExchangeCertificate cmdlet, if the subject is not explicitly provided, Subject will be the first value that is listed on the DomainName parameter when you run the New-ExchangeCertificate cmdlet. The following X.500 fields may be present:

  • C = Country

  • ST = State

  • L = Location

  • O = Organization

  • OU = Organizational Unit

  • CN = Common Name

Some of these fields are required when generating certificate requests for third-party CAs. For an in-depth explanation of the Subject field, see Creating a Certificate or Certificate Request for TLS.

If you are running Microsoft Internet Security and Acceleration (ISA) Server 2006 in front of Exchange for bridging, make sure that you read the blog post, Certificates with Multiple SAN Entries May Break ISA Server Web Publishing, for more information about subject names and ISA Server behavior.

Note:
The content of Wikis and blogs and their URLs are subject to change without notice.

When Exchange generates a self-signed certificate without any user arguments, it creates a certificate that contains a subject name of CN=hostname.

The X.509 certificate extension name is also Subject.

You set the Subject field by specifying the SubjectName parameter in the New-ExchangeCertificate cmdlet.

CertificateDomains

The CertificateDomains field identifies all DNS domain names associated with a certificate. DNS domain names can be in either the common name (cn=) attribute of the Subject or in the SAN extension of a certificate. The output of Get-ExchangeCertificate cmdlet displays the union of the domain in the Subject field and any domains found in the SAN.

The values found in the CertificateDomains field may include the host name or FQDN that are used to access the server. To use a certificate, the FQDN that a client uses to connect to the server must appear on the CertificateDomains field for the certificate.

For example, if a client is connecting to a server by using POP3 with mail.fourthcofee.com as the server name, the certificate associated with the POP3 settings may contain mail.fourthcofee.com on its CertificateDomains field.

You might also find certificates with wildcard names, such as *.fourthcofee.com. This is an acceptable domain. However, you should be aware that some legacy clients and mobile devices do not support wildcard names on a certificate and therefore may not support using wildcard domains.

Note:
The SAN field is not exposed through Exchange directly. You can view it only in Certificate Manager in MMC or through the Internet Information Services (IIS) Manager. Certificates bound to a Web site, such as those used by IIS for Outlook Web Access, Exchange ActiveSync, or Autodiscover, are also viewable in IIS Manager.

For an in-depth explanation of how to use SANs and wildcard names in certificates, see Creating a Certificate or Certificate Request for TLS. Also, the Exchange Team Blog, Exchange 2007 lessons learned - generating a certificate with a 3rd party CA, contains practical advice on how to create a certificate request with multiple SANs.

Note:
The content of Wikis and blogs and their URLs are subject to change without notice.

The X.509 certificate extension name is Subject Alternative Name but, as noted earlier, the output of Get-ExchangeCertificate cmdlet also adds the value that is contained in the Subject certificate extension to the list of names in the CertificateDomains field.

You set the CertificateDomains field by specifying the DomainName and Subject parameters of the New-ExchangeCertificate cmdlet.

NotBefore and NotAfter

The values in the NotBefore and NotAfter fields represent a date range in which the certificate is valid for use. If the current date falls after the NotAfter date, the certificate is considered expired. Microsoft Exchange can still use expired certificates, but clients will generate warnings and the server will log appropriate events into the event log.

The X.509 certificate extension name that maps to the NotBefore value is Valid from. The X.509 certificate extension name that maps to NotAfter is Valid to.

The NotBefore and NotAfter fields do not have corresponding parameters that you can set in the New-ExchangeCertificate cmdlet. These fields are defined by the entity that issues the certificate. Self-signed certificates that are generated by Exchange setup or by the New-ExchangeCertificate cmdlet are valid for one year.

CertificateRequest

This value is present only on certificates that are still in the request state. Certificate Requests are not valid X.509 Certificates and therefore will not be used by Exchange.

The CertificateRequest field is enabled by specifying the GenerateRequest parameter switch of the New-ExchangeCertificate cmdlet.

Certificate Properties

As explained earlier, certificate properties are attributes which are metadata of the certificate or private key. Some properties are intrinsic to the certificate or private key such as the thumbprint of the certificates but many properties can be altered without the certificate being re-signed.

Except for the Thumbprint property, no Exchange certificate properties correspond to an X.509 certificate extension.

This section explains the certificate properties.

IsSelfSigned

The IsSelfSigned property indicates whether a certificate is self-signed. A self-signed certificate is usually a root certificate. This is a certificate that has no other certificates in the certificate chain. The self-signed certificate in Exchange usually refers to the following kinds of certificate:

  • A certificate that is generated when Exchange is installed on a server where no qualifying certificate is present,

  • A certificate that results from running the New-ExchangeCertificate cmdlet.

When the Hub Transport, Edge Transport, Unified Messaging, or Client Access server roles are installed, a self-signed certificate is generated by Exchange Setup. If a valid certificate exists in the Personal certificate store on the host computer, the existing certificate will be used and the self-signed certificate generated by Exchange Setup will not be used. The valid values are True or False.

RootCAType

The RootCAType property identifies the type of CA that issued the certificate. If the IsSelfSigned parameter is set to True, the value of the RootCAType property should be None. Otherwise, the certificate could cause unexpected results to occur in the certificate selection process. Other possible values are as follows:

  • Registry   An internal, private PKI root CA that has been manually installed in the certificate store.

  • ThirdParty   A public, third-party root CA.

  • GroupPolicy   An internal, private PKI root CA that has been deployed with Group Policy.

  • Enterprise   An internal, private PKI root CA that has been deployed with Active Directory.

  • Unknown   Exchange is unable to determine the type of certificate that is installed.

Understanding how the root CA certificate has been installed on a computer may help you diagnose inconsistent trust policies. Such inconsistencies may cause certificates to validate on some servers but not on other servers.

For example, a value of Registry indicates that someone has manually installed the certificate on one server. This may cause inconsistencies if the certificate has not been installed on other servers in the organization. We recommend distributing certificates to all computers by using Group Policy or Active Directory.

Services

The Services property identifies the services with which this certificate can be used. The valid values are SMTP, POP, IMAP, UM, and IIS.

You set the value in the Services field by specifying the Services parameter on the Enable-ExchangeCertificate cmdlet. For more information, see Enable-ExchangeCertificate.

Status

The Status property identifies whether the certificate is valid. The Status field is very helpful when you are troubleshooting certificate problems. If the Status value for a given certificate is not Valid, that certificate will not be used by the Exchange server for any services. Values for the Status property include the following:

  • Unknown   This status generally indicates that the status of the certificate cannot be verified because the certificate revocation list (CRL) is unavailable or this server cannot connect to it. Make sure that the computer can connect to the Certificate Revocation Authority. For more information, see How to Configure Proxy Settings for WinHTTP.

  • Valid   The certificate is working correctly.

  • Revoked   The CRL has indicated that this certificate has been revoked. You must generate a new certificate.

  • DateInvalid   This status indicates that the system time is incorrect, the certificate has expired, or the time of the system that signed the file is incorrect. Verify that the following conditions are true:

    • The local computer clock is accurate.

    • The certificate has not expired.

    • The sending system clock is accurate.

    If the certificate has expired, you must generate a new certificate.

  • Untrusted   This status indicates that the certificate is not self-signed. However, it is signed by a CA that is not trusted by the local computer. You must add the CA certificate to the Trusted Root Certification Authorities store on the computer. For more information about how to manually add certificates to the local certificate store, see the Help file for Certificate Manager in MMC.

  • Invalid   Some other issue has invalidated this certificate, such as an untrusted, invalid, or revoked certificate somewhere in the certificate path.

For more troubleshooting information, see the following topics:

HasPrivateKey

The HasPrivateKey property indicates whether the installed certificate has a private key. This is very important because the Microsoft Exchange Transport service, Microsoft Exchange POP3 service, and Microsoft Exchange IMAP4 service will not use a certificate that does not have a private key.

Thumbprint

The Thumbprint property is a unique string that identifies the certificate. If the same certificate is installed on multiple Exchange servers, you can identify them by their thumbprint. The same certificate is usually installed on multiple Exchange servers when multiple Edge Transport servers are accepting mail with the same FQDN, such as mail.fourthcoffee.com. It’s much more cost efficient to install the same certificate on multiple servers than to request new certificates for each server. However, the certificate must have an exportable private key.

The Thumbprint property is used to specify a certificate for the following cmdlets:

The X.509 certificate extension name that maps to the Thumbprint property is also Thumbprint.

Return to top

Certificate Trust and Validation

To use a certificate for authentication, the certificate must be validated and trusted.

To validate a given X.509 certificate, you must trust the root CA that issued the certificate. A root CA is the most trusted CA. This is at the top of a CA. The root CA has a self-signed certificate. When you run an application that relies on certificate authentication, each certificate must have a certificate chain that ends in a certificate in the trusted root container of the local computer. The trusted root container contains certificates from root CAs.

A certificate is chained to a CA by another certificate. That certificate could also have been issued by a CA and therefore would be chained to it. This chaining of certificates is also known as the certification path. Every certificate in the certification path must be valid for the certificate to be valid. Also, the certificate at the top of the chain must be a trusted root CA.

There are two types of trusted root CAs that you can use to implement applications that rely on certificate authentication: third-party public root CAs and private root CAs.

Third-Party Public Root Certification Authorities

Windows, Windows Mobile, and various third-party operating systems include a set of built-in third-party public root CAs. If you trust the certificates issued by these third-party public root CAs, you can verify certificates issued by these CAs.

Trust is automatic if the following conditions are true:

  • Your organization uses the default Windows installation,

  • The client software and mobile devices used in your organization also trust the built-in third-party public root CAs,

In this case, additional trust configuration is not required.

Private Trusted Root Certification Authorities

A private trusted root CA is a root CA that has been deployed by a private or internal PKI. For example, when your organization has deployed an internal PKI with its own root certificate, you must make additional trust configurations.

Generally, it is not a best-practice to use certificates issued by a private PKI for client applications that support external connections into your organization.

When private root CAs are used, you must update the Windows Trusted Root certificate store on all devices, clients, and Windows operating systems where certificate authentication is required.

You can configure trust in two ways: direct root trust and cross-certification.

Direct Root Trust

If you want to trust a certificate that has been issued by a private root CA, you can manually add that root certificate to the Trusted Root certificate store on a computer that is running Windows. In some cases, you can add a root certificate to the trusted root store of mobile clients also. For more information about how to manually add certificates to the local certificate store on a computer that is running Windows, see the Help file for Certificate Manager in MMC. For more information about how to install certificates on Windows Mobile devices, see How to install root certificates on a Windows Mobile-based device.

Important:
You probably won't be able to install certificates on all computers and devices that users will use to access Exchange. For example, some users may try to access Outlook Web Access from a kiosk or from a friend's computer. In this scenario, users receive a warning but are not prevented from accessing their mail. Because this behavior, in effect, trains users to ignore certificate warnings, it is not a best practice. Therefore, using certificates issued from trusted third-party CAs is a best practice.
Cross-Certification

Cross-certification occurs when one CA signs a certificate that is generated by another CA. Cross-certification is used to build trust from one PKI with another PKI. If you have your own PKI, instead of using direct manual trust for a root CA of another private PKI, you can create a cross-certificate for the other CA under your root CA. In this case, trust is established because the cross-certificate ultimately chains back to your trusted root CA.

Configuring Access to the Certificate Revocation List

When a specific service, such as the Microsoft Exchange Transport service in the SMTP/TLS scenario or IIS in the HTTPS scenario, retrieves a certificate, the service validates the certificate chain and validates the certificate. Validation of the certificate is a process in which many attributes of the certificate are confirmed. Most of these attributes can be confirmed on the local computer by the application that requests the certificate. For example, the intended use of the certificate, the expiration dates on the certificate, and similar attributes are verifiable outside the context of a PKI. However, verification that the certificate has not been revoked must be validated with the CA that issued the certificate. Therefore, most CAs make a certificate revocation list (CRL) available to the public to validate the revocation status.

To successfully authenticate with certificates, CRLs for CAs that you use must be available to the services that are authenticating the client. If the revocation check fails, the authenticating service will fail.

Your authenticating servers must be able to access CRLs for external CAs.

All public CAs have publicly available CRLs that your organization's servers can contact. In some cases, CRLs for private, internal PKIs are available only with Lightweight Directory Access Protocol (LDAP). In most cases, with public CAs, CRLs are published by using HTTP. Make sure that the appropriate outbound ports and proxies are configured to let your servers and clients to contact the CRL. You can determine which protocol a given CRL distribution point accepts by opening a certificate in MMC and viewing the CRL Distribution Points field.

In some cases, you may have to make the CRL for the CA that issues your certificates publicly available. For example, if you are deploying Domain Security, you must understand that even when an Edge Transport server retrieves a certificate from your own organization, it validates the certificate chain to validate the certificate. Therefore, the CRL for your CA must be available to your own Edge Transport servers. In addition, all partners that you exchange domain-secured e-mail with must be able to access the CRL for the CA that issues your certificates.

Configuring Proxy Settings for WinHTTP

Exchange 2007 servers rely on the underlying Windows HTTP Services (WinHTTP) to manage all HTTP and HTTPS traffic. For example, both Hub Transport servers and Edge Transport servers may use HTTP to access updates for Exchange 2007 Standard Anti-spam Filter Updates and the Microsoft Forefront Security for Exchange Server anti-spam update service. All Exchange server roles will use WinHTTP to enable CRL validation.

For more information, see How to Configure Proxy Settings for WinHTTP.

Testing the PKI and Proxy Configuration

To verify your PKI and proxy configuration for a specific Exchange server, use Certutil.exe to verify the certificate chain for the server certificate. Certutil.exe is a command-line tool that is installed as part of Certificate Services in Windows Server operating systems. For more information, see How to Test PKI and Proxy Configuration.

Return to top

Creating, Importing, and Enabling Certificates

There are several ways to obtain a certificate that is installed and operational on Exchange 2007. Your choice of method depends on your needs. Exchange 2007 generates a set of self-signed certificates to enable the default configuration to be secured. This should be renewed over time to help ensure security of the system. Exchange does not automatically generate requests for signing by certificate authorities. Whether you want to create a new self-signed certificate or a certificate request for a certification authority, both methods use the same cmdlet.

This section provides an overview of the operations that you can perform on certificates that are used by Exchange 2007. Read this section if you are not familiar with the ExchangeCertificate cmdlets. Application-specific examples and procedures are provided later in this document, using POP3 as an example. This section also provides links to application-specific documentation.

Certificate Cmdlets

In earlier versions of Exchange Server, all certificate management was done through IIS and Certificate Manager in MMC. In Exchange 2007, you perform most certificate management tasks that relate to Exchange by using the following ExchangeCertificate cmdlets with the Exchange Management Shell:

For more information about how to create certificate requests for certification authorities, see Creating a Certificate or Certificate Request for TLS.

The following sections provide short examples to illustrate how you can use the ExchangeCertificate cmdlets to perform common certificate tasks. For more information and examples, see the ExchangeCertificate cmdlet Help under Global Cmdlets.

Generating Self-Signed Certificates

To generate a self-signed certificate for use by the SMTP service for a server that has the host name of Server1 and a domain of fourthcoffee.com, run the following command:

Copy Code
New-ExchangeCertificate -DomainName "server1.fourthcoffee.com", "server1" -Services "SMTP"

Cloning Self-Signed Certificates

If an existing self-signed certificate has to be renewed, you can clone it by running the following command:

Copy Code
Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate

The thumbprint placeholder is the thumbprint of the certificate to be renewed. The services for the new certificate can also be specified in the command as follows:

Copy Code
Get-ExchangeCertificate <thumbprint> | New-ExchangeCertificate -Services SMTP,POP,IMAP

You can then enable this certificate by running the following command:

Copy Code
Enable-ExchangeCertificate <thumbprint>

Creating Certificate Requests and Installing Trusted Certificates

Installing a public, third-party certificate is a more complex process. You must generate a certificate request, import the issued certificate and all the necessary CA certificates, and then enable the issued certificate for its intended use or uses.

This section provides an example of how to enable the POP3 service for certificate use. In this example, clients connect to the POP3 service by connecting to the FQDN, popserver.fourthcoffee.com.

Certificate Request

Because the resulting certificate comes from a public, third-party CA, you must first generate a certificate request by running the following command:

Copy Code
New-ExchangeCertificate -DomainName popserver.fourthcoffee.com -SubjectName "c=us,o=contoso corp, cn=popserver.fourthcoffee.com" -PrivateKeyExportable:$True -GenerateRequest:$True -Path "C:\CertRequest.req"

If the certificate request is correctly generated, a certificate request file (.cer or .der) will be created in the root of the system drive and the Exchange Management Shell will display a Thumbprint for the request.

Note:
Certificates returned by providers will support different extensions for the certificate request file, such as .der or .cer. These extensions represent the encoding method that is used on the certificate file. By default, the New-ExchangeCertificate request will create a Base64-encoded file (.cer). Use the BinaryEncoded parameter switch to create a .der file.

In the previous command, the PrivateKeyExportable parameter is set to $True so that this certificate can be exported together with the private key for use on multiple Exchange servers that may have to be accessed by using the same FQDN. For example, multiple Client Access servers may be load-balanced to support POP3 connections.

Note:
The PrivateKeyExportable parameter is optional. You should specify it only when you generate certificate requests for trusted CAs. By setting the PrivateKeyExportable parameter to $True, you can move and archive the certificate and the associated keys. You do not have to do this with self-signed certificates.

The previous command also specifies the Subjectname parameter as an X.500 name. Most third-party CAs require that you specify a valid X.500 name for the Subject name of the certificate. At a minimum, most CAs require that the organization listed in the organizationName (o=) field owns the domain name that appears in commonName (cn=) of the Web server.

After the request is completed, the request file can be submitted to a certificate vendor to obtain a certificate.

Note:
The Get-ExchangeCertificate cmdlet returns certificates and also certificates that are still pending requests. To differentiate between the two, certificate requests contain a CertificateRequest attribute that displays the output that is stored in the certificate request file. This output may be useful if you accidentally delete the certificate request file or generate the request without the parameter. The CertificateRequest data is base64-encoded and can be copied into a file and sent to your CA for a certificate request.
Importing a Certificate

After a certificate is returned from a CA, you must import it to the Exchange server. To correctly import a certificate for which a request was generated by using the New-ExchangeCertificate cmdlet, run the following command:

Copy Code
Import-ExchangeCertificate -Path "C:\CertificateFile.cer"

If the certificate is successfully imported, this command will return a certificate thumbprint that you can use to enable specific services.

Important:
You must import the certificate onto the same computer where the certificate request was generated. Also, do not use Certificate Manager in MMC to import Exchange certificates.
Enabling a Certificate

Enabling a certificate lets you specify which services can use a specific certificate. The following command enables the issued certificate for the POP3 service:

Copy Code
Enable-ExchangeCertificate <thumprint> -Services:"POP"

You can import and enable a certificate at the same time by running the following command:

Copy Code
Import-ExchangeCertificate -Path "C:\CertificateFile.cer" | Enable-ExchangeCertificate -Services:"POP"
Validating Certificate Installation

To confirm that all required steps have been completed and the certificate is installed and operational, run the following command:

Copy Code
Get- ExchangeCertificate <thumbprint> | fl *
Note:
If you are running Exchange 2007 SP1 or later versions, do not include the asterisk (*) on the command argument.

The output of this command returns data similar to the following:

Copy Code
AccessRules		: {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule,System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {popserver.fourthcoffee.com, fourthcoffee.com}
HasPrivateKey	: True
IsSelfSigned	 : False
Issuer			 : CN=3rdPartyCAExample.com
NotAfter		 : 8/7/2008 10:04:02 AM
NotBefore		: 8/7/2007 10:04:02 AM
PublicKeySize	: 2048
RootCAType		 : ThirdParty
SerialNumber	 : 83FAE8B2398F2A9E44485CBA85D548DF
Services		 : POP
Status			 : Valid
Subject			: C=us,o=contoso corp, CN=fourthcoffee.com 
Thumbprint		 : 257C327A164ED8A6FCDAFCA7789D29B60369DCA7

Inspect the output of this command to validate that the following information is true:

  • The domain names that you expect to be present are listed in the CertificateDomains field.

  • The HasPrivateKey property is set to True.

  • The RootCAType property is set correctly. For more information about the RootCAType property, see Certificate Properties earlier in this document.

  • The required services are enabled for the certificate.

  • The Status is set to Valid.

Certificate Services

Services, such as POP, IMAP, IIS, and SMTP, can be enabled on a certificate. Services are not fields in the certificate itself. They are metadata properties of the certificates. Therefore, you can change them without invalidating the certificate.

When services are enabled, configuration changes occur on other components, such as in the IIS Metabase, the file system, or on the IMAP4 and POP3 settings. This section describes the configuration changes that occur when you enable a given service by running the Enable-ExchangeCertificate cmdlet.

POP and IMAP

When POP and IMAP are added as additional services to a certificate, the x509CertificateName attribute on the POPSettings object or IMAPSettings object is updated to include the domain in the subject of the certificate.

For example, to verify that the POPSettings object has been updated, run the following command

Copy Code
Get-POPSettings | fl *
Note:
If you are running Exchange 2007 SP1 or later versions, do not include the asterisk (*) on the command argument.

IIS

When IIS is enabled, the default IIS Web site is updated to use this specific certificate.

You can enable a certificate for IIS by using the Enable-ExchangeCertificate cmdlet for the default IIS Web site only. If you are hosting Outlook Web Access or Autodiscover on Web sites other than the default IIS Web site, you must use IIS Manager to associate a specific certificate with those Web sites.

SMTP

When the SMTP service is enabled on a certificate, the Network Service account is granted Read access to the appropriate private key file in the Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory. This action provides the permission required for the Microsoft Exchange Transport service to access and use the private key to decrypt messages that are secured by TLS.

Microsoft Exchange Unified Messaging Service

When the Microsoft Exchange Unified Messaging service is enabled on a certificate, the certificate property is updated to include Unified Messaging. The certificate is used when the following conditions are true:

  • The Unified Messaging server role is installed on the computer.

  • The certificate contains the physical FQDN of the local computer in the CertificateDomains certificate field.

Return to top

Certificate Selection

Certificate selection is a process that Exchange components perform to determine which certificate should be used for an incoming connection. SMTP STARTTLS, POP3, and IMAP4 all perform a similar selection process to determine which certificate to use for a particular session. This process is fairly deterministic. However, it can be confusing, especially when more than one certificate is installed on the computer.

This section describes the certification selection process for SMTP STARTTLS, SMTP X-AnonymousTLS, POP3, and IMAP4. For more information about transport-specific certificate selection, see SMTP TLS Certificate Selection.

SMTP STARTTLS

STARTTLS is the SMTP verb that initiates a secure TLS session. STARTTLS is only advertised by Exchange if a valid certificate exists on the computer that is running Exchange.

To advertise or use STARTTLS, Exchange selects a certificate based on the FQDN and a matching value in the CertificateDomains field of a certificate. The FQDN is based on the following information:

  • Outbound STARTTLS   The certificate is selected based on the value of FQDN on a Send connector.

  • Inbound STARTTLS   The certificate is selected is based on the value of FQDN on a Receive connector.

    Note:
    For outbound STARTTLS and inbound STARTTLS, if the FQDN of the connector is not specified, the physical FQDN of the Exchange server is used for the match.

After the FQDN is determined, Exchange searches Personal certificate store on the host computer for all valid certificates. A certificate is valid for TLS use if it meets all the following requirements:

  • The Enhanced Key Usage field contains either the Server Authentication object identifier (also known as OID) or is null.

  • The PKI certificate extension lists an RSA key with a minimum of 1024 bits.

  • The certificate validates the certificate chain up to a trusted root, or the certificate is self-signed.

  • The certificate and certificate chain passes the revocation check.

  • The private key is present and available.

  • The private key is not stored in a removable device.

  • The private key is not protected with a password.

If more than one valid certificate is found, Exchange selects a certificate based on the following criteria:

  • The value in the NotBefore field   Exchange selects the newest valid certificate.

  • Certificates issued by a trusted CA vs. self-signed certificates   Exchange selects certificates issued by a trusted CA over self-signed certificates.

In most cases, Exchange selects a certificate issued by a trusted CA over a self-signed certificate regardless of the age of the certificate. If a valid certificate is not found, STARTTLS is not advertised.

SMTP X-AnonymousTLS

X-AnonymousTLS is used to help secure communication between two Hub Transport servers and between Hub Transport servers and Edge Transport servers. In Exchange 2007 SP1, the certificate selection process has been simplified so that if no certificate is found, a temporary encryption key is generated for the session.

Exchange searches for an internal transport certificate. If a valid internal transport certificate cannot be found, Exchange searches for a valid CA certificate.

Therefore, for Hub-to-Hub communication where the Kerberos protocol is used for authentication, the absence of a valid internal transport certificate does not fail the SMTP session. The SMTP session is encrypted by using the temporary encryption key. In this case, an event is logged and you must create a new internal transport certificate by running the New-ExchangeCertificate cmdlet without arguments on the computer that is generating the event.

For Hub-to-Edge communication, where the Edge Transport server is subscribed to the organization, if a valid internal transport certificate is not found, the session fails and an error is logged. In this case, you must run the New-ExchangeCertificate cmdlet without arguments on the computer that generates the event and then run the Microsoft Exchange EdgeSync service again.

POP3 and IMAP4

As with the certificate selection process for SMTP STARTTLS, in the process for POP3 and IMAP4, Exchange must select a FQDN and find a certificate based on a matching value in the CertificateDomains field. The FQDN is chosen on the basis of the X509CertificateName attribute in the POP3 or IMAP4 service settings. You can view the X509CertificateName attribute by running the Get-POPSettings cmdlet or the Get-IMAPSettings cmdlet. For more information, see Get-POPSettings and Get-IMAPSettings.

The selection process for POP3 and IMAP4 in Exchange 2007 SP1 is the same as the process for SMTP STARTTLS.

Note:
In Exchange 2007 RTM, there are two major exceptions in the certificate selection processes for POP3 and IMAP4. Certificates issued by a trusted CA are not preferred over self-signed certificates. Instead, Exchange 2007 selects the newest certificate. Also, in Exchange 2007 RTM, POP3 and IMAP4 do not support wildcard domains on certificates. This means that if the X509CertificateName attribute is set to mail.fourthcoffee.com for either the POP3 settings or IMAP4 settings, Exchange 2007 will not support a certificate that only contains *.fourthcoffee.com as a certificate domain.

Unified Messaging

If the Microsoft Exchange Unified Messaging service is started in Secured mode, it will query the local Personal certificate store to find a valid certificate to use for TLS to enable encryption. The Microsoft Exchange Unified Messaging service will first look for a valid certificate that has been issued by a private PKI or a public CA. If an appropriate certificate is not found, it will look for a self-signed certificate. If no PKI, public, or self-signed certificate is found, the Microsoft Exchange Unified Messaging service creates a self-signed certificate to use to start in Secure mode. If the UM server is starting in Unsecured mode, no certificate is needed.

All the details of the certificate that is used to start in Secured mode are logged whenever a certificate is used or if the certificate has changed. Some details that are logged include the following:

  • Issuer Name

  • Serial Number

  • Thumbprint

The thumbprint is the Secure Hash Algorithm (SHA1) hash. It can be used to uniquely identify the certificate that is used. You can export the certificate that is used by the Microsoft Exchange Unified Messaging service to start in Secured mode from the local certificate store and import this certificate onto the Unified Messaging IP gateways and IP PBXs on your network into the trusted certificate store.

After an appropriate certificate has been found and used, the Microsoft Exchange Unified Messaging service logs an event one month before the certificate that is being used expires. If you do not make any changes to the certificate during this time, the Microsoft Exchange Unified Messaging service logs an event each day until the certificate expires and each day after the certificate has expired.

When the Unified Messaging server looks for a certificate to use for mutual TLS to establish an encrypted channel, it looks in the trusted root certificate store. If there are multiple certificates that are valid and from different issuers, the Unified Messaging server selects the valid certificate that has the longest time remaining before expiration. If multiple certificates exist, the Unified Messaging server selects the certificates based on the issuer and the date that the certificate will expire. The Unified Messaging server looks for a valid certificate in the following order of preference:

  1. PKI or public certificate with the longest expiration period.

  2. PKI or commercial certificate with the shortest expiration period.

  3. Self-signed certificate with the longest expiration period.

  4. Self-signed certificate with the shortest expiration period.

Return to top

For More Information