Obtain and install SSL certificates - Exchange 2003

Document created by user.oxriBaJeN4 Employee on Sep 7, 2015Last modified by user.oxriBaJeN4 Employee on Sep 7, 2015
Version 1Show Document
  • View in full screen mode

Obtaining SSL Certificates

The first step in obtaining an SSL certificate is to generate a certificate signing request (CSR).  This can be done by command line on a Microsoft Windows server or via the Internet Services Manager GUI console.

 

Internet Services Manager CSR Generation

  1. Open Administrative Tools.
  2. Start Internet Services Manager.
  3. Right click on the Default Web Site and select Properties from the menu.
  4. Select the Directory Security tab.
  5. Click the Server Certificate button to display the IIS Certificate Wizard.
  6. Ensure that Create a new certificate is selected, and click the Next button.
  7. Select Prepare the request now, but send it later and click the Next button.
  8. Provide a name for the certificate; this needs to be easily identifiable if you are working with multiple domains. This name is used for your records only.

    If your server is 40 bit enabled, you will generate a 512 bit key.  If your server is 128 bit, you can generate up to 1024 bit keys.  We recommend you select the default of 1024 bit key if the option is available.

  9. Click the Next button.
  10. Enter the Organization and Organization Unit. These are your company name and department respectively. Click the Next button.
  11. The Common Name field should be the Fully Qualified Domain Name (FQDN). For example, an SSL certificate issued for mimecast.com may not be valid for dc1.mimecast.com. If the certificate is issued to otherserver.mimecast.com, and you install it on dc1.mimecast.com, LDAPS will not work. Click the Next button.
  12. Enter your Country/Region, State/Province and City/Locality.  Click the Next button.
  13. Enter a filename and location to save your CSR. You will need this CSR to enroll for your IIS SSL Certificate. Click the Next button.
  14. Check the details you have entered. If you have made an error, click the Back button, and amend the details.  Be especially sure to check the domain name the Certificate is to be Issued To.  Your IIS SSL Certificate will only work on this domain.  Click the Next button when you are satisfied that the details are absolutely correct.
    The CSR now needs to be submitted to the certificate authority for processing.  When you make your application, make sure you include the CSR in its entirety into the appropriate section of the enrollment form – including:
    -----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST-----
  15. Click the Next button, and confirm your details in the enrollment form.  Then click the Finish button.

 

To save your private key:

  1. Go to: Certificates snap in the MMC
  2. Select Requests
  3. Select All tasks
  4. Select Export

    We recommend that you make a note of your password and backup your key, as these are known only to you - if you lose them, we can't help!

Command line CSR generation

The full Microsoft support article can be viewed from the link below:

http://support.microsoft.com/kb/321051

 

To configure LDAPS on the Domain Controller, it is possible to use Certreq to form the request or any other utility or application that creates a valid PKCS #10 request.

 

The commands that are used in this document assume the Windows 2003 version of Certreq is in use.  For Windows 2000 servers, copy certreq.exe and certcli.dll from a Windows 2003 server into a temporary directory on the Windows 2000 server.

 

To request a Server Authentication certificate that is suitable for LDAPS, you must perform the following:

  1. Create a .inf file that will be used with certreq.exe when creating the request file.  You may find it useful to copy and paste the example below into an ASCII text editor (Notepad for example) and then save it as an .inf file.  Ensure that the fully qualified DNS name of the domain controller (e.g. server1.domain.local) is in the request subject.

    [NewRequest]

    Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC

    KeySpec = 1

    KeyLength = 1024

    ; Can be 1024, 2048, 4096, 8192, or 16384.

    ; Larger key sizes are more secure, but have

    ; a greater impact on performance.

    Exportable = TRUE

    MachineKeySet = TRUE

    SMIME = False

    PrivateKeyArchive = FALSE

    UserProtected = FALSE

    UseExistingKeySet = FALSE

    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

    ProviderType = 12

    RequestType = PKCS10

    KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

    ;-----------------------------------------------

    Some third-party certification authorities may require additional information in the Subject parameter.  Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject="E=admin@contoso.com, CN=<DC fqdn>, OU=Servers, O=Contoso, L=London, S=London, C=GB."

  2. Once the above config file has been saved, you will need to create the request file.  At a command prompt type the following:
    certreq -new request.inf request.req
    This will create a file called request.req.
  3. The request.req file now needs to be submitted to the certificate authority for processing.
    Not all certificate authorities will process SSL certificates that contain unresolvable domain names (e.g. domain.local or domain.int).

    If using a self-signed cert, the file must be submitted to Mimecast Support.

  4. Once the certificate has been issued by the Certificate Authority, create a new file called certnew.cer in the same folder as the request file.  Open the certnew.cer file in Notepad and paste the encoded certificate into the file.
  5. Once the certnew.cer has been saved the issued certificate then needs to be “accepted”.  To do this type the following at a command prompt:
    certreq –accept certnew.cer
    
  6. Verify that the certificate is installed in the server’s Personal store:
    1. Open the MMC console and add the Certificates snap-in
    2. Expand Certificates (Local Computer)
    3. Expand Personal
    4. Expand Certificates
      A new certificate should exist in the Personal store.  The Intended Purpose should be displayed as server authentication and the certificate should be issued to the server’s fully qualified host name.
  7. Restart the domain controller

 

Installing SSL certificates

Once the CSR has been generated and submitted to the certificate authority, you will receive your SSL certificate.  This now must been installed onto your server.  This can be done by command line on a Microsoft Windows server or via the Internet Services Manager GUI console.

 

Internet Services Manager Certificate Installation

  1. Open Administrative Tools
  2. Start Internet Services Manager
  3. Right-click on the Default Web Site and select Properties from the menu
  4. Select the Directory Security tab
  5. Click the Server Certificate button
  6. The IIS Certificate Wizard is displayed
  7. Choose to Process the Pending Request and Install the Certificate. Click the Next button
  8. Enter the location of your IIS SSL certificate (you may also browse to locate your IIS SSL certificate), and then click the Next button
  9. Review the summary screen to ensure that you are processing the correct certificate, and then click the Next button
  10. A confirmation is displayed.  Review the information, then click the Next button to install the IIS SSL server certificate.

    You must now restart the computer to complete the install.

Command line certificate installation

Once the certificate has been issued by the Certificate Authority, create a new file called certnew.cer in the same folder as the request file.  Open the certnew.cer file in Notepad and paste the encoded certificate into the file.

  1. Once the certnew.cer has been saved the issued certificate then needs to be accepted.  To do this type the following at a command prompt:
    certreq –accept certnew.cer
  2. Verify that the certificate is installed in the server’s Personal store
  3. Open the MMC console and add the Certificates snap-in
  4. Expand Certificates (Local Computer)
  5. Expand Personal
  6. Expand Certificates
  7. A new certificate should exist in the Personal store.  The Intended Purpose should be displayed as server authentication and the certificate should be issued to the server’s fully qualified host name.

Attachments

    Outcomes