SAPO Trust Centre: Certificate Installation on Exchange Manual Page 1 of 10
1. Introduction This document describes how to install SSL certificate on Exchange Server 2. Client Procedure Log into the Exchange Admin Center Now navigate to Servers->Certificates Select the CAS server you want to push it to, in our case we will select PHDC-E15CAS01.E15.corp Now, select the + sign which will bring up the New Exchange Certificate wizard: Page 2 of 10
Create a friendly name for the certificate: At the next screen you can decide to request a wildcard certificate, where you would enter the root domain. For example, if you wanted a wildcard certificate for exchange15.com, your screen would look like the following: If you want to create a SAN certificate, leave this unchecked and select next. Page 3 of 10
Select the server to store certificate on, in our case, the same server we are requesting it for PHDC- E15CAS01: Next, you need to select the services that you want to assign to the external domain, and the FQDN of that service. In our case, everything will be to email.exchange15.com. Select each service that does NOT say (when accessed from the intranet) and click the pencil icon to edit the domain: Page 4 of 10
When you click next, it will show you the domains that will be added to the certificate. If you have any accepted domains in your organization, it will add the autodiscover.accepteddomain.com entry to the certificate: When you click Next, you will need to fill out the information for the organization requesting the certificate: Page 5 of 10
Select the location to save the certificate. If you don t have a network share pre-configured (with the exchange trusted subsystem as an administrator), then you can store it on the C drive of the CAS server with \\phdc-e15cas01.e15.corp\c$\newcertreq.req Now when you see the request, it will be pending: Now we need to submit this request to a certificate authority to complete the request. In our case, we will use a Windows 2008 R2 CA to do so. Log into our certificate authority at https://www.trustcentre.co.za/links.php Select Request a Certificate-> Advanced Certificate Request-> Submit a Certificate Request by using Open the request you saved before in notepad: Page 6 of 10
Copy and paste that into the Base-64-Encoded field, and set the Certificate Template to Web Server: Hit submit to finalize, and you should see the option to Download Certificate or Download the Certificate Chain. You can also download from the link: SAPO Class 3 Root CA Certificate and SAPO SSL CA Certificate (Intermediary CA certificate) Select Download the certificate and save the file to the shared location that you saved the request file to. Next, download the Certificate Chain to the same location, as we will need to import the CA certificate to the host to ensure it trusts the certificate. certnew.cer is the exchange servers certificate, SAPO SSL CA Certificate is the CA certificate. To import the Certificate Authority certificate, RDP into PHDC-E15CAS01. Open up a blank MMC console and add the certificates snapin for the local account: Page 7 of 10
Expand and select Certificates underneath Trusted Root Certification Authorities or you can download from our website and save it. Right click Certificates select Import->All Tasks->Import Select the Certificate Authority certificate you downloaded before, in our example this would be: \\phdc-e15cas01.e15.corp\c$\certnew.p7b Select Next and Finish. Return to Exchange Admin Center, select the pending request certificate, and on the right hand side select Complete Page 8 of 10
A new dialog box will open up, enter the path to the certnew.cer file, in our example this would be: \\phdc-e15cas01.e15.corp\c$\certnew.cer Now we need to assign this certificate to the specific services we want, select the certificate and click the pencil icon. Then click services, and lets check off which services we want. We are going to want to add SMTP and IIS: Page 9 of 10
You will receive a warning about overwriting the existing certificate, just select yes: That s it, you are all set! When we go to the site and check the certificate: Page 10 of 10