As we discussed in our previous article, properly configured security certificates are the key to secure communication over the Internet. And nowhere is security more important than your email system. If you host your own Exchange server, and you allow access to it over the Internet through OWA or EAS, it’s important that you configure a secure, trusted certificate to protect the information that your users transmit to it.
Create a Certificate Signing Request
The first step to installing a certificate for Exchange is to create a Certificate Signing Request. The CSR contains all of the details for the certificate, including the hostnames that it authenticates. You can then send the CSR to a commercial Certificate Authority who can generate a certificate for you.
Exchange has a wizard that will walk you through creating the CSR. First, log in to the Exchange Admin Center and navigate to Servers > Certificates. Choose the server where you will be installing the cert, and choose Add. The wizard will open; make sure that the “Create a request for a certificate authority” option is selected. Click Next.
Enter a friendly name for the certificate and click Next. Since we won’t be creating a wildcard certificate, click Next again. Then, choose the Exchange server where the certificate will be stored and click Next.
The next screen will let you enter the internal and external hostnames that will use this certificate. If you only use a single hostname for both internal and external access (e.g. mail.company.com), you don’t need to enter anything here. But if some of your external services, like OWA, use a different external address, enter these here and click Next.
On the next screen, review the Subject Alternate Names (SANs) that will be created for your cert. Select one of them to be the certificate’s Common Name (CN), then click Next.
On the next page, you’ll enter information about your company or organization. Check with the CA you’re using to determine which of these fields are important -- most will care about the Company Name and the Country/Region fields, at a minimum.
Finally, on the next page, choose a location to save the CSR file. This needs to be a network share UNC path.
Send the Certificate Request to a CA
Next, you’ll need to send the CSR to a Certificate Authority. There are many certificate authorities to choose from, such as VeriSign, Comodo, Symantec, and others. They’ll generally charge between $50-100 per year for the certificate, and will provide you with detailed instructions on submitting your CSR and receiving the certificate file.
Install the Certificate and Enable It
Once you’ve received the certificate from the CA, you’ll need to go back into Exchange Admin Console to complete the signing request and install the certificate.
In EAC, go to Servers > Certificates, and select the server where you created the signing request. Click the certificate request that you created (it should be listed as “Pending”).
The Complete Pending Request page will open. Enter the UNC path to the certificate file, and click OK.
Once the certificate is installed, you’ll need to tell Exchange to use the cert for the services you choose. In EAC > Servers > Certificates, select the Exchange server where you installed the cert. Then, select the certificate you installed and click Edit. There, you’ll be able to select the services that will use the certificate.
- IIS includes all Exchange services that are delivered over HTTP -- Outlook Web Access, Exchange ActiveSync, MAPI over HTTP, and many others.
- POP, IMAP, and SMTP are standard legacy mail protocols.
After you’ve selected the services you need, click Save. You may need to restart IIS in order for it to begin using the new certificate. Then, log in to OWA to verify that it’s using your new certificate.
E-N Computers is ready to help you with all of your IT needs, including Exchange configuration and maintenance. Contact us today to find out how we can help your business stay connected and secure.