Add Unified Communications Certificate to Microsoft Exchange
Customers often ask why they need a UCC certificate for their Microsoft Exchange. Well, first let’s address what is a UCC certificate? A United Communications Certificate is a SSL Certificate that lets you use and secure multiple names in one domain name. With just one UCC cert, you can have up to 99 Subject Alternative Names.
The reason we use a UCC is due to the multiple ways that Exchange is accessed. Web Services is key to the product – it isn’t just Office Web Apps secured via IIS. It is Autodiscover, Availability, Web services, and Offline address book distribution. It all needs to be accessed in a secure manner.
It is very common to point the internal services to the local FQDN of the server. However, be aware that after November 1, 2015, Certificate Authorities are phasing out the issuance of certificates for internal names, and you should not configure internal domain names in the UCC certificate. So you ask, “What do I do?”
It’s possible to have none of the internal domains listed on the certificate IF you’re running a split DNS system and don’t have Unified Communications in use. You would need to change all of the URLs to use the external host names and ensure that the external host names resolve internally to the internal IP address.
You don’t need to have the RPC CAS Array on the SSL certificate.
Internally, autodiscover works on the value of AutodiscoverServiceInternalURI which is set on set-clientaccessserver. By default, that host name is the real name of the server holding the Client Access Role.
You can change it to another URL if you wish, and as long as that resolves and is in the SSL certificate as one of the host names, then it will work correctly.
If you are using the UC role or Lync, then you will need to have the server’s NETBIOS and FQDN in the certificate (otherwise Exchange will use a self-signed SSL certificate).
You must first generate a CSR to send to a 3rd party to receive a UCC cert, then after you receive the SSL, you’ll need to log in and install the certificate. Below is the “easy” process in installing a UCC cert in Exchange 2010.
How to Install a UCC in Exchange 2010
There is a very long command in PowerShell that will generate the CSR, however Digicert has simplified this process.
Login to the Exchange server and then Exchange Management Console > Server Configuration> Client Access> OWA properties>
- Copy mail.domain
- Go to digicert.com: https://www.digicert.com/easy-csr/exchange2010.htm
- Paste mail.domain under Common Name: field
- Generate CSR for Exchange 2010
Exchange 2010 SSL CSR Command Wizard
(The faster way to make your Certificate Signing Request in Exchange 2010)
Fill in the details, click Generate, then copy your CSR command into Exchange Management Shell. See example below:
Now just copy and paste this command into Exchange Management Shell. Your CSR will be written to c:\mail_sitek-group_com.csr.Information:
New-ExchangeCertificate -GenerateRequest -Path c:\mail_sitek-group_com.csr -KeySize 2048 -SubjectName "c=US, s=Missouri, l=Fenton, o=FPWEB, ou=FPWEB, cn=mail.sitek-group.com" -DomainName autodiscover.sitek-group.com, sitekgrpexch01, sitekgrpexch01.sitek-group.com.local -PrivateKeyExportable $True
Where do you paste this command?
Run the command in the Exchange Management Shell on your server:
- Login to your Exchange 2010 server
- Click Start > Programs > Microsoft Exchange Server 2010 > Exchange Management Shell
- Paste the New-ExchangeCertificate command from this page into the Exchange Management Shell window and press Enter
- Your CSR file should now be in C:\ on your server (as named by the -Path option in the command itself.)
- Click Generate and copy text
- Copy contents of CSR and send to Customer Care
Install SSL on Microsoft Exchange
Step 2: Import the SSL certificate and copy thumbprint.
Step 3: Run the following command where “c:\newcert.cer” is the location and name of your certificate: Import-ExchangeCertificate -path c:\newcert.cer
Step 4: Copy the thumbprint by doing the following:
- Open the Exchange Management Shell.
- Run the following command:
dir cert:\LocalMachine\My | fl
- Locate the certificate you just imported and copy the Thumbprint property to the Windows Clipboard.
Step 5: Enable the certificate on the Default Web Site:
- Open the Exchange Management Shell.
- Run the following command: enable-ExchangeCertificate -thumbprint [value you got from above] -services “IIS,IMAP,POP”
- Restart POP3 and IMAP4 services by opening the Component Services Windows administrative tool, selecting “Microsoft Exchange POP3″ or “Microsoft Exchange IMAP4″, right-clicking, and choosing “Restart”. IIS does not need to be restarted
Whew, almost done – now just check your OWA and view the certificate. Make sure the dates match up with the certificate you purchased. And you’re finished!
There is, of course, one other way that this could be easier… Host your e-mail with Fpweb.net and have us do it!