Installing a Unified Communications SSL Certificate for Exchange 2007

Categories: Microsoft Exchange, Unified Messaging

Exchange2007LogoClearSecure communications in an Exchange enterprise messaging environment is critical.  In Exchange 2007, Microsoft introduced the use of Unified Communications (UCC) or Subject Alternative Name (SAN) SSL certificates.  These Secure Sockets Layer (SSL) certificates allow the secure use of multiple domain names with one certificate, with some certificate providers allowing the use of up to 100 domain names.  By default, when initially installed, Exchange 2007 provides a self-signed certificate which secures the hostname of the server (netbios and FQDN).  For any use outside of a lab environment, you’ll want to purchase and install a UCC certificate.  UCC certificates can be purchased from any major SSL certificate provider (i.e., GoDaddy, GeoTrust, Entrust, Comodo, etc.).

In this example, I’ll show you how to replace a single domain third-party certificate and a self-signed SSL certificate with a new UCC certificate.

Step 1: Certificate Signing Request (CSR)

This is the “planning” stage.  The most important part of creating your CSR is to pick your domain names carefully.  I recommend using a (5) domain name UCC certificate, using the following names:

  • mail.example.com  (Internet FQDN)
  • example.com        (Internet domain)
  • InternalHost         (Internal hostname)
  • InternalHost.example.com  (Internal FQDN)
  • autodiscover.example.com  (Internet hostname used by the “autodiscover” service)

Using the Exchange Management Shell, generate the CSR:

New-ExchangeCertificate -GenerateRequest -Path c:\cert\mail_example_com.csr -KeySize 1024 -SubjectName “c=US, s=State, l=City, o=CompanyName, cn=mail.example.com” -DomainName example.com, InternalHost, InternalHost.example.com, autodiscover.example.com -PrivateKeyExportable $True

Navigate to the path where you saved your CSR in the command above (c:\cert\mail_example_com.csr), open it with notepad or your favorite text editor, and copy all the text.  Login to your SSL certificate provider’s website and paste the text in the appropriate form.  Depending on their verification process, your certificate will be approved in anywhere from a couple hours to a day.

Step 2:  Install and Enable New UCC Certificate

Follow directions provided by your SSL certificate provider to install any required intermediate certificates, if applicable.  Copy your UCC certificate to an easily accessible path on your Exchange server (i.e., c:\cert), then issue the following command using the Exchange Management Shell:

Import-ExchangeCertificate -path c:\cert\mail.example.com.crt -friendlyname “GoDaddy UCC 2009” | Enable-ExchangeCertificate -services “IIS,POP,IMAP,SMTP” -Force

Step 3:  Remove Expired or Unnecessary Certificates

Record the thumbprints of the existing certificates that you wish to remove:

Get-ExchangeCertificate | ft

OR

Get-ExchangeCertificate | fl

Removed expired third-party single domain certificate:

Remove-ExchangeCertificate -thumbprint [thumbprint ID]

Removed self-signed (hostname) cert:

Remove-ExchangeCertificate -thumbprint [thumbprint ID]

Step 4:  Wrap Up

To flush out all changes, restart the following service:  Microsoft Exchange Transport

Enjoy!

«
»
  • With clients that houses multiple domains, Unified Communications SSL is a simpler and easy way to address this. And this blog, is a great overview I can point clients on Exchange 2007 to regarding the simplified process. Thanks!

  • With clients that houses multiple domains, Unified Communications SSL is a simpler and easy way to address this. And this blog, is a great overview I can point clients on Exchange 2007 to regarding the simplified process. Thanks!

  • Thanks for the tip (I love promo codes!). I usually use GoDaddy for my SSL certificates as they are wayyy cheaper! A premium SSL certificate with features similar to what you mentioned goes for $99/year at GoDaddy, which is over $800 in savings. I'm not sure why the cost is so far apart. Are these perpetual licenses, compared to GoDaddy's (& others) yearly licenses?

  • Hey I was looking for the same.. Is this so easy?? and only this much steps are involved?? I just don't believe this..

    Anyway Thanks for sharing it..!!

  • UCC / SAN is the comprehensive solution to secure multiple domains using single server SAN SSL / UCC (Unified Communications) certificate. Thanks for sharing with US a SAN SSL solutions for exchange 2007.