Managing certificates in an Exchange Server deployment is one of the most important administrative tasks. In Exchange 2013, certificate management functionality is provided in the Exchange Administration Console (EAC), the new Exchange 2013 administrative user interface. In Exchange 2013, the focus is on minimizing the number of certificates that an administrator must manage, minimizing the interaction the administrator must have with certificates, and allowing management of certificates from a central location.
Client Access server certificates:
The Client Access server in Exchange 2013 is a stateless thin server designed to accept incoming client connections and proxy them to the correct Mailbox server
Mailbox server certificates:
Difference between Exchange 2010 and Exchange 2013 is that the certificates that are used on the Exchange 2013 Mailbox server are self-signed certificates. Because all clients connect to an Exchange 2013 Mailbox server through an Exchange 2013 Client Access server, the only certificates that you need to manage are those on the Client Access server. The Client Access server automatically trusts the self-signed certificate on the Mailbox server, so clients will not receive warnings about a self-signed certificate not being trusted, provided that the Client Access server has a non-self-signed certificate from either a Windows certification authority (CA) or a trusted third party. There are no tools or cmdlets available to manage self-signed certificates on the Mailbox server. After the server has been properly installed, you should never need to worry about the certificates on the Mailbox server.
You can use the following cmdlets to manage digital certificates on an Exchange Client Access server:
- Import-ExchangeCertificate This cmdlet is used to import certificates to a server. You can import a CA-signed certificate (to complete a pending certificate signing request (CSR)) or a certificate with a private key (PKCS #12 files, generally with a .pfx extension, previously exported from a server along with the private key).
- Remove-ExchangeCertificate This cmdlet is used to remove certificates from a server.
- Enable-ExchangeCertificate This cmdlet is used to assign services to a certificate.
- Get-ExchangeCertificate This cmdlet is used to retrieve an Exchange certificate based on a variety of criteria.
- New-ExchangeCertificate This cmdlet is used to create a new self-signed certificate or a CSR.
Here, I am going to update default self-signed certificate of CAS server from Internal PKI Certificate Authority. This server is installed with the Client Access and Mailbox server roles.
Server is located in non internet-facing Client Access server, So I am using internal PKI (CA is installed on local DC) to install the certificate.
Note : If your CAS server is internet facing Client Access Server then you must use third part CA to acquire the SSL certificate like VeriSign, Digicert etc.
In My LAB, I have Server named as below
- PUNDC01 (Domain Controller, DNS & PKI)
- PUNMail (Exchange 2013 server with MBX+CAS Role)
Generate Certificate Request:
- Login to Exchange Admin Center with Exchange Administrator credential
3. Select “Create a request for a certificate from a certificate authority” and click Next to continue.
4.Give the new certificate a friendly name and click Next to continue.
5.Leave Blank and click Next to continue. Although wildcards are supported for Exchange they are not supported for some interoperability scenarios with other server products
6.Select Exchange Server Name to store the certificate request
7.Click the Edit button and enter the domain name that clients will be using to connect to each service, This is dependent upon your organization requirement and naming to access services.
8. As I have mentioned, this is non internet facing server so I just used default.
9.Here, enter your organization details and click Next to continue.
10.Enter a valid UNC path else you will get error as shown below.
11.Enter a valid UNC path to store the certificate request file, and click Finish
12.Explore the location and make sure “Cert.REQ” file is created. Open file in notepad and verify content.
Generate Certificate with PKI:
1.Open CA service Web console using URL http://CAServer/CertSRV and select “Request a Certificate” under select a task
2.Select “advanced Certificate Request”
3.Open “Cert.REQ” file is which is created in section 11. Open file in notepad copy content and pate. Make sure no blank space is left. Select Template “Web Server” and hit to “Submit”
4.Select “DER encoded” and download the certificate
5.Open certificate and verify SAN Name
Assign Certificate to Exchange Server:
Go Back to Exchange Admin Center and click on The pending certificate request. Select certificate and assign it to server.
You are done now !!!! 🙂 🙂
For more details, click here