Just a quick how to here on creating a CSR and installing the corresponding Digital Certificate in Microsoft Exchange 2010. This varies from the same task on Exchange 2007 where there is no longer the need to do long winded shell commands.
In the Exchange Management Console click on Server Configuration. Right-click the server you wish to create a CSR for and choose New Exchange Certificate. see image below
Enter the friendly name for the new cert. Make it relevant to the Server so you will know where the Cert is assigned in the future. the click next.
Next we get the option of selecting a Domain scope or namely if we want a wildcard Certificate. Exchange 2010 does support wildcard certificates however a standard SAN (Subject Alternative Name) Certificate is usually recommended. In this example we will click next and continue with a SAN configuration as this is the most common.
Next you will see the domain/cert configuration for all the different aspects of Exchange that you would like to sign with this digital Certificate. You will be able to configure the names of each service. see image below.
First up we will configure the Client Access server (Outlook Web App) begin this by clicking the little down arrows to the right of the heading and you will see the below.
Enter in your internal exchange server address. here I’ve used internal.domain.com however it would usually be something like servername.domain.local for the internal and the external would be what you call the server from the outside world. IE it’s subdomain name / address.
The next portion is the ActiveSync domain name. I usually always use the same as the external subdomain/address of the server, this simplifies configuration by making it the same as the Outlook Web App address. (external.domain.com). I’ve smudged it out as this screen grab was from a production server.
The next part is the Web Servces, Outlook Anywhere, and Autodiscover. Again here it is best to use the same external address, for ease of configuration and confusion with end users, as the Outlook Web App and server address. For the Autodiscover portion there should be a prefilled area with autodiscover.domain.com, etc.
Lastly I usually configure the Hub Transport server SSL for secure SMTP communication. Use the same external address we have been using all along for ease of configuration. external.domain.com has been my example. here I’ve scrubbed it out as this was from a production server.
Once your happy with the config click next.
The next screen will give you a list to review all of the common names included in the Certificate. Here you can add any additional names. Ensure that the external.domain.com domain name example is selected as the common name, it should be in bold.
Next we configure the Organization details. Substitute your details for those below.
After this process you will be given a Summary of all the information entered to go over. ensure all looks to be in order and click New to create the Certificate Configuration and the exchange CSR to request the actual certificate.
Now you can take your CSR file (called the .req file in this case) and generate a Certificate with a Certificate Signing Authority. The below process will instruct you on the process of installing the Certificate and completing the process. do this by right clicking on the certificate in the Exchange Certificates field and selecting the Complete Pending Request… option.
Next we select the downloaded Signed Certificate. Sometimes your certificate file extension may be .crt as opposed to the Microsoft Default of .cer just worth keeping in mind when using the browse function to navigate to your file.
Once you have selected the file. Choose Complete.
Next we will Assign Services to the Digital Certificate
Now we have a valid Certificate Installed we need to Assign Services to the Digital Certificate before it will be used. do this by right clicking on the installed certificate and selecting Assign Services to Certificate…
Next there will be a list of servers, select the server in question that the cert has been assigned to then click next. After that you will see a list of Services, check the appropriate services and continue by clicking next. see below. You will be prompted to overwrite the existing default certificate and simply click Yes To All to overwrite and install the new cert.
And thats it!
Hope I’ve helped, questions in the comments. Cheers