Wednesday, November 6, 2013

Creating and Renew Exchange certificate from Internal Certificate Authority

Environment in my lab
(Domains used in my lab are fictitious and only for demonstration purpose only)

Domain name :
DC role : ADC + CA (Certificate Authority is installed on DC) *
CAS/Hub Server Name : ACasHub
Exchange server version : Exchange 2010
Windows version : Windows 2008 R2 Ent

In my lab, CAS/Hub roles are installed on seperate roles and assuming certificates are going to expired and for that reason, we are going to renew certificate on CAS/Hub server role

Here is the process of Renewing certificate which is Installed on Exchange CAS/HUB server

For the purpose of understanding, I am using Exchange management console to renew the Certificate, We can also use Exchange Management Shell, which i will be covering in next blog.

We need to renew the highlighted “ACASHUB server”. The name of the certificate is “*” which is “Self-Signed” and services assigned are “IIS” and “SMTP”

We selected the highlighted services and choose the option “Renew Exchange certificate

Highlighted certificate “*” would be using to renew certificate process, Self-Signed Status is showing “False” which means the certificate is been assigned from CA (Internal or 3rd party)

Click on browse on above browse button and select a location on your server to save “ .REQ” Extension file. 

In my lab I am renewing certificate with a name of the Server in folder name “New Exchange Certificate”
this is the REQ file generated by Exchange Server for certification Renew request

After saving file, Please click on RENEW button from the bottom of the Wizard and you would be the End of the confirmation wizard.

After finishing, Certificate wizard, you will find new Certificate for Server “ACasHub” where status is showing “This is a pending certificate signing request (CSR)” and check the services status, which is now “NONE”

And this is REQ file generated by Exchange server for certification renew

certutil -encode c:\renewal.req c:\base64renewal.req 

2nd Part
there are two process for Enrollment 
(a) Copy the file to CA server and initiate the process of Certificate approval using web
(b) From the Exchange server, you can initiate the process of Certificate approval using web 

In our process, we are copying file *.REQ file to CA

We need to copy the *.REQ file to the CA.
In case of internal CA, you can copy the file into the CA or if it is a 3rd party, you need to follow the URL of their respective services to upload file and get a CERTIFICATE REQUEST file

So now we are at Internal CA, where we copied file “ACasHub.req” from our CAS/Hub server.

Logged into your CA and open Internet Browser and type URL http://servername/certsrv or https:// servername/certsrv, where servername is the name of the Web server hosting the CA Web enrollment pages and this process is known as Request a certificate over the Web

From Here, Select “Request a Certificate” Under “Select a Task”

Now select “Advanced certificate request” and then

In this screen, the file that we copied from our CAS/Hub server, should be opened in a notepad and Highlight the content from Edit Menu “Select All” > Copy the content in the Renewal request page

And paste the content in Based-64-encoded certificate request (CMC or PKCS #10 or PKCS #7) and make sure the “Certificate Template” should be “Web Server”

And then click on Submit

if you need subject alternative names, add in attributes box as

because we are renewing the certificate request, I Kept it as empty

The next page we will be getting is to “Download Certificate”

Here you will find two Radio button “DER encoded” or “Base 64 encoded” and two option of downloading the Certificate  “Download Certificate” and “Download Certificate Chain”

So highlight “Base 64 encoded” and select “Download Certificate” URL

Now you will be prompted to download a file with Extension name “ *.CER “

Save this “ *.CER” file and copy it to the CAS/Hub server

In Exchange Management console, highlight the Certificate that is pending for “Certificate signing request”, Right click > Complete Pending Request > Browse and provide “ *.CER” file that we have downloaded

And now the status of “Exchange certificate” is complete, now as a next step we need to assign services

Highlight the certificate and assign services

In the Assign services to certificate, highlight the CAS/Hub server for which you want to install Certificate.

In case, if CAS and Hub are installed on different box, then for CAS server, Services needs to be assigned would be IIS, POP, IMAP and Hub Transport Service “SMTP” service
And here you can add the list of the server for which you want to assign services to the certificate at once

Here you need to select Services

And next

Here I am assuming that the certificate has been expired on my lab so I would select “Overwrite the existing default SMTP certificate” or else you can select “NO” and as a result it will generate two certificate.
One which we created and another older certificate and later we can delete the older/ expired certificate.

After assigning services to the certificate, restarting Exchange services like for Hub Transport server, Restarting “Ms Exchange Transport” works and most of the from command prompt IISRESET will work.
Or from the services console“

Part 4 How to backup Certificate

And for backup CA (Internal), you can backup by highlighting Server under “Certification Authority” right click “All Tasks” and then “Backup CA”

No comments:

Post a Comment