In Part 1, we looked at how to choose what type of certificate we need, (self-signed, signed by internal CA or signed by public CA), how to create a certificate request and then how to import the certificate into Exchange. In this part, we’ll look at how to set up Exchange to use the certificate.
Introduction
As we mentioned in the last post, Exchange requires SSL certificates for each client access service. These include the below services:
- Outlook Anywhere
- Autodiscover
- Offline Address Book
- Exchange Web services
- Outlook Web Access
- Exchange Control Panel
In our example, we have a single Exchange server, litex01.litwareinc.com and we’ll be assigning services to our new certificate which we imported in Part 1. Currently we will be getting certificate errors in Outlook:
The security certificate was issued by a company you have chosen not to trust
How to assign services to a certificate
1) Check and identify the certificate
Open the Exchange Management Shell and run the below command on one line:
Get-ExchangeCertificate | fl FriendlyName,Issuer,IsSelfSigned,NotAfter,NotBefore,Status,Thumbprint,Services
Here you can see the certificate called “Litwareinc Exchange” that we imported in Part 1. We can see that it has a status of “valid”, is not self signed, check the expiry date and can see that it has not been assigned to any services so Exchange is not using it.
Copy the Thumbprint for the certificate, 576B0C640BA47663C6C78280D12BFF7FCD68CA08.
2) Enable the certificate for use by the IIS service
The next step is to enable the certificate for use by the IIS and other services so that Exchange will use it for OWA, Outlook Anywhere, OAB, EWS, Autodiscover, POP, IMAP and SMTP.
Run this command on a single line to enable the certificate for the IIS service:
Enable-ExchangeCertificate -Thumbprint 576B0C640BA47663C6C78280D12BFF7FCD68CA08 -Services IIS,SMTP,POP,IMAP
3) Confirm that Exchange is using the new certificate
We can do this in a number of ways. Firstly, we can use the Get-ExchangeCertificate command as we ran earlier:
Get-ExchangeCertificate | fl FriendlyName,Issuer,IsSelfSigned,NotAfter,NotBefore,Status,Thumbprint,Services
Secondly, we can open OWA and hopefully we no longer have any certificate warnings. Below we can see that the certificate is trusted and there are no errors in IE.
Conclusion
In this post, we’ve gone through how to assign services to our newly created certificate. In an upcoming post, I’ll demonstrate how to resolve certificate errors.