Exchange2007LogoClearSecure communications in an Exchange enterprise messaging environment is critical.  In Exchange 2007, Microsoft introduced the use of Unified Communications (UCC) or Subject Alternative Name (SAN) SSL certificates.  These Secure Sockets Layer (SSL) certificates allow the secure use of multiple domain names with one certificate, with some certificate providers allowing the use of up to 100 domain names.  By default, when initially installed, Exchange 2007 provides a self-signed certificate which secures the hostname of the server (netbios and FQDN).  For any use outside of a lab environment, you’ll want to purchase and install a UCC certificate.  UCC certificates can be purchased from any major SSL certificate provider (i.e., GoDaddy, GeoTrust, Entrust, Comodo, etc.).

In this example, I’ll show you how to replace a single domain third-party certificate and a self-signed SSL certificate with a new UCC certificate.

Step 1: Certificate Signing Request (CSR)

This is the “planning” stage.  The most important part of creating your CSR is to pick your domain names carefully.  I recommend using a (5) domain name UCC certificate, using the following names:

  • mail.example.com  (Internet FQDN)
  • example.com  (Internet domain)
  • InternalHost  (Internal hostname)
  • InternalHost.example.com  (Internal FQDN)
  • autodiscover.example.com  (Internet hostname used by the “autodiscover” service)

Using the Exchange Management Shell, generate the CSR:

New-ExchangeCertificate -GenerateRequest -Path c:certmail_example_com.csr -KeySize 1024 -SubjectName “c=US, s=State, l=City, o=CompanyName, cn=mail.example.com” -DomainName example.com, InternalHost, InternalHost.example.com, autodiscover.example.com -PrivateKeyExportable $True

Navigate to the path where you saved your CSR in the command above (c:certmail_example_com.csr), open it with notepad or your favorite text editor, and copy all the text.  Login to your SSL certificate provider’s website and paste the text in the appropriate form.  Depending on their verification process, your certificate will be approved in anywhere from a couple hours to a day.

Step 2:  Install and Enable New UCC Certificate

Follow directions provided by your SSL certificate provider to install any required intermediate certificates, if applicable.  Copy your UCC certificate to an easily accessible path on your Exchange server (i.e., c:cert), then issue the following command using the Exchange Management Shell:

Import-ExchangeCertificate -path c:certmail.example.com.crt -friendlyname “GoDaddy UCC 2009” | Enable-ExchangeCertificate -services “IIS,POP,IMAP,SMTP” -Force

Step 3:  Remove Expired or Unnecessary Certificates

Record the thumbprints of the existing certificates that you wish to remove:

Get-ExchangeCertificate | ft

OR

Get-ExchangeCertificate | fl

Removed expired third-party single domain certificate:

Remove-ExchangeCertificate -thumbprint [thumbprint ID]

Removed self-signed (hostname) cert:

Remove-ExchangeCertificate -thumbprint [thumbprint ID]

Step 4:  Wrap Up

To flush out all changes, restart the following service:  Microsoft Exchange Transport

Enjoy!