Friday, 20 March 2015

Managing Certificates in Exchange Server 2013 (Part 3)

Requesting the Certificate…

The first step is to create a Shared Folder that can be used by the certificate process and other Exchange tasks that require a repository location (PST is a good example).
This shared folder can be created on any server of your network but since the Exchange Administrator has control of the Exchange Servers, the shared folder is usually created on an Exchange box.
The folder creation process is a straightforward process. Let’s name it ExchUtil$ where the $ means that it is a hidden shared folder and on the permissions at Share Level, make sure that the existent Everyone entry has full control.

Image
Figure 01
On the Security tab of the same folder we will restrict permissions by disabling the inheritance and removing Users group, and adding Exchange Trusted Subsystemwith Full Control permissions to the list as shown in Figure 02.

Image
Figure 02
Now, that we have the requirements in place open Exchange Admin Center (https://<ExchangeServer>/ECP) and after authenticating, click servers and then certificates. A list of all certificates in place will be displayed as shown in Figure 03.
Image

Figure 03
Click on the first icon of the toolbar which is New and represented by + icon. On the new page, we can choose from a new Certificate (which works for either Internal CA or Public CA) or a self-signed option. Leave default settings and click Next. (Figure 04)
Image
Figure 04
On the second page we need to define a friendly name for the certificate. In this article series we will name it as<Domain Name> - Public Certificate and then click Next. (Figure 05)
Image
Figure 05
On the following page we can use a wildcard by selecting the option Request a wildcard certificate, but in the first article of this series we decided to go for the Subject Alternative Names route, so leave default settings and just clickNext.
On this page we can select which server will store the certificate request that we are creating. We will use the same server to complete the process of the certificate, after that it is just a matter of export and import certificates for any other servers that share the same names. Since, we have a single server click Browse and select the desired server, click Next. (Figure 06)
Image

Figure 06
On this page the administrator can go ahead and configure the domain names for each component that will require a certificate. A new page will allow us to fill the name as shown in Figure 07. All that work of filling out names will generate the names required on the certificate request. However, we already defined the names that we want in our certificate, click Next.
Image

Figure 07
Now, we have a summary of all names that will be part of this request. One of them is configured as common nameand should reserve the name that is going to be used by the Outlook Anywhere. We can manage the entries by clicking the Add/Remove buttons and the result should be similar to Figure 08. In this article series we will be adding a third name just for ADFS to show how we can take advantage of the Certificate request in Exchange Server.
Note:
If this certificate will be used for other services, then we can use this opportunity to add names. These are a couple of examples where you can use additional names: when using Active Directory Federation Services (ADFS), any IIS application on a different server, SharePoint, or even a name for your SMTP protected traffic.
Check with your Public Certification Authority but they should allow you to use the certificate on multiple servers. If they support that, then the certificate being generated here can be exported and imported on other servers that bring a lot of value for the certificate.
Image

Figure 08
On the following page the administrator has to fill out all the information about the organization, location, etc. After that, click Next.
On the final page of the certificate wizard, we need to specify the path of the Shared Folder that we created at the beginning of this article series, plus the name of the request as shown in Figure 09. After filling out all required information click Finish.
Image

Figure 09
If we look at the ExchUtil$ folder a new file with the name that we specified will be listed, and the content will have something similar to the content being shown in Figure 10. That is our CSR (Certificate Signing Request) and that is the information that we will use either with our Internal Certification Authority or with a Public CA.
Image
Figure 10
One last thing, if we look at the certificates on EAC (Exchange Admin Center), a new entry will be listed and it will appear as Pending Request, as shown in Figure 11.
Image
Figure 11
Time to go to your favorite CA. Make sure that you create an online account and when requested for a CSR, please paste the content of the file that we have just generated. The processing time of your new certificate varies depending on your Public CA. They will check if you are the real owner of your domain and some documentation may be required as part of the process.
Note:
Your next Certificate renewal can be 3 (three) years from now and for that reason you may want to use a generic account when registering with your Public CA provider. Using generic accounts for this kind of request can save you time in the future where you don’t have to remember who was working in your company during the renewal process and you don’t have to recreate usernames of people that may not be working in your company anymore.

Deploying the new Certificate...
At this point in the game, we probably received a message from the Public CA with our new certificate. We need to get that new certificate and place it on the ExchUtil$ shared folder.
In order to install the new certificate go to the EAC, click servers and then certificates. Select the certificate that started it all which has a Pending Status and click Complete located on the right side, as shown in Figure 12.
Image
Figure 12
On the new page, type in the UNC location of the file as shown in the Figure 13, and finally click OK.
Image
Figure 13
Back to the certificates page (Figure 14), we can see that the Status column shows our new certificate as valid which means that it has been installed and we can assign services to it.
Image
Figure 14
This completes the installation process of the Certificate; however we are not done yet. Our next step is to assign this new certificate to the services that we are hosting on our new Exchange Server 2013.

Assigning Services to the new Public Certificate…

In order to do that, select the certificate and click Edit (second icon from left to right). On the first page displayed (general) we can check all the names of the certificate, when it is going to expire, status and so forth. Click services,IIS (you can select more services if you are going to use it) and then save. (Figure 15)
Image

Figure 15
After hitting the save button on the previous page, fire up a new Internet Explorer session and go to webmail.AndersonPatricio.info and the page will be displayed without any certificate warnings and the padlock icon on the right side of the address will be closed. If you click there, more information about the Certificate will be displayed and we can see that is a valid certificate (Figure 16).
Image

Figure 16
Are we done? Not at all, we completed the first task that is - request and deploy the certificate. Our next task is to make sure that Exchange Server 2013 is configured to use the names that are being used in the certificate. When completing the other tasks that we will be reviewing in the upcoming articles, we will be improving end-user experience where they will not receive any certificate error messages using Outlook or any other Exchange service.
Stay tuned for the next article. We will be configuring Exchange Server 2013 to use the new certificate by exposing the proper DNS names on all services offered by the Client Access role.

Conclusion

In this article, we requested and assigned the public certificate in our Exchange Server 2013 environment. All these tasks were the result of the planning and design that we worked on in the first two articles of this series.

No comments:

Post a Comment