-
Title
ExchangePro: Certificate Validation for Exchange Pro installation -
Description
ExchangePro: Certificate Validation for Exchange Pro installation -
Resolution
One of the most complicated checkpoints for a successful installation and configuration of Exchange Pro is based on the certificates that must be available on the Exchange server. Web Certificate CANNOT be self-signed, and it must be the correct type of Certificate.
Use these steps to validate if the Certificate is correct for the Exchange Pro domain installation.
1) Validate Server Certificates
From within the IIS Manager you can view the existing certificates that have been setup on the server.
a. Open up IIS Manager by clicking under Administrative Tools / IIS Manager on the Exchange 2010 server that is running as your primary remote PowerShell server in the domain.
b. Select the certificate you want to inspect and click on “View”.
c. From the Certificate window you need to ensure that the “Issued to” and “Issued by” names are different. This certificate CANNOT be self-signed.
d. Now from that same Certificate window, choose the “Certification Path” tab. Make sure that the Certification status is “OK” and that the path is under the root of the appropriate domain (Trusted Root).
2) Check Exchange Certificates
From within the Exchange Management Console (EMC) you can view the existing Exchange certificates that have been setup on the server.
a. Open up EMC, and click on the “Server Configuration” area in the navigation pane.
b. Select the certificate you want to inspect and ensure that in the “Self-Signed” column it says “False”. Now double-click on it to open the Certificate.
c. From the Certificate window you need to ensure that the “Issued to” and “Issued by” names are different. This certificate CANNOT be self-signed.
d. Now from that same Certificate window, choose the “Certification Path” tab. Make sure that the Certification status is “OK” and that the path is under the root of the appropriate domain (Trusted Root).
If the correct type of certificate doesn’t exist you will need to create one for this Exchange 2010 server.
To request a certificate in Exchange
1. Open the exchange management console and select the root server and click on Manage Databases
2. Then in the right pane, click Server Configuration then in the Right pane click New Certificate
3. Enter the friendly name for the request
4. Click Enable wildcard certificate and enter *.btexchange2k10.com
5. Enter the information about your organization and where you want to save the certificate request data then click Next
6. Verify the information and click New
7. Once the request is generated click Finish
8. Now open the request file we just generated and copy the certificate request information to the clipboar
9. Now open the browser on the exchange server and navigate to your certificate authority website and click Request Certificate. **Note: be sure that Active Directory Certificate Services and Active Directory Right Management Servers are installed as roles on this server. If not then you won’t be able to run the CERTSRV webserver.
10. Then select Submit a certificate request using base 64….
11. Paste the date in to the request window, verify the certificate template is created as a webserver and click Submit
12. Then click Download Certificate and save the file to a local drive
13. Go back to the exchange management console and highlight the certificate request you just made and select Complete Pending Request..
14. Select the new certificate you just saved to your local drive and click Complete then Finish
15. Now highlight the certificate we just installed and in the right pane click Assign services to certificate
16. Select Internet Information Services then Next then Assign
17. Once the services have been assigned successfully, click Finish
18. Verify the proper installation of the certificate by going to the OWA server using https:// in a web browser and verify it is working properly