Exchange 2007 3rd Party Certificate

I’ve done plenty of new self-signed certificates for Exchange. Most places don’t mind if the certificate displays an error when users visit the webmail site (OWA), but they do mind if the users receive an error saying the certificate name is invalid when using Outlook.

Had the self-signed certificate installed on a standard Exchange 2007 server. CRM 4 requires an SSL/TLS connection. While we could have created another internal certificate with the export = $true key, the customer also wanted to rid themselves from the invalid certificate when browsing to the Outlook Web Access site.

Obviously replace “domain.tld” with your actual information.

Create the certificate request:

Open PowerShell on Exchange
New-ExchangeCertificate -DomainName webmail.domain.tld,other.domain.tld,autodiscover.domain.tld -FriendlyName "Site Webmail Certificate" -GenerateRequest:$True -Keysize 2048 -path c:\Webmailcertificate.txt -privatekeyExportable:$true -subjectName "c=US, o=CompanyName Inc., OU=IT, L=City, S=State, CN=webmail.domain.tld"

Purchase the site certificate:

Go to your favorite SSL supplier (Verisign, Thawte, etc.) and purchase an SSL Certificate. Standard is fine for this mostly internal-only site.
Paste the code from c:\Webmailcertificate.txt when applicable
After the certificate has been authorized, download the .crt certificate and the intermediary Certificate Authority files

Install your certificate:

Back on PowerShell for Exchange
Import-ExchangeCertificate -path c:\webmailcertificate.txt
Get-ExchangeCertificate
Copy the Thumbprint from the NEW certificate (probably the one with “…..” listed under Services
Enable-ExchangeCertificate -Services IMAP, POP, UM, IIS, SMTP -Thumbprint 896B74B2YourExchangeThumbprintFC6A7
Click Y for Yes if prompted to replace from an old(er) certificate

Now your webmail access (OWA) should no longer have a certificate issue. However, if the issued name on the certificate is DIFFERENT from your NETBIOS name of your email server, you will have issues INTERNALLY. Namely, all of your outlook clients will report a certificate is invalid error – that the names do not match. This is because the Exchange Server now has the certificate that points to webmail.domain.tld and your outlook clients are pointing to exchange07.domain.local.

To fix this issue:

Once again, use PowerShell for Exchange
Get-ClientAccessServer
Copy the servername
Set-ClientAccessServer -Identity SERVERNAMEHERE -AutodiscoverServiceInternalUri https://webmail.domain.tld/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "SERVERNAMEHERE\EWS (Default Web Site)" -InternalUrl https://webmail.domain.tld/ews/exchange.asmx
Set-OABVirtualDirectory -Identity "SERVERNAMEHERE\oab (Default Web Site)" -InternalUrl https://webmail.domain.tld/oab
There is one final step required – recycle the MSExchangeAutodiscoverAppPool:
On Exchange 2007, Open IIS Manager
Navigate to Local Computer > Application Pools
Right-Click on MSExchangeAutodiscoverAppPool and select Recycle

That should be it. Everything works here after recycling.

Or you could always just put in the required domains on your certificate request:
NetBIOS name
FQDN external (if different)
autodiscover.domain.tld
autodiscover.domain.local (if applicable)
webmail.domain.tld (obviously change accordingly)

Leave a Reply

Your email address will not be published. Required fields are marked *