Secure Exchange With SSL Certificate

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Table of Contents

SSL introduction

when user try to access his email through Outlook Web Access [ OWA ] using URL : https://mail105/owa 

they will get warring security indicating that certificate on  exchange server [mail105 ] is invalid 

Self signed certificate

actually warning above has two parts

the first one is good : which tel us that exchange server [Mail105 ]has a certificate to secure its’ connection 

on the other side : the BAD news that certificate is ONLY valid on exchange server but NOT valid on other computers in the network 

this is because certificate is [ self signed certificate ] which means that it has been created in exchange  server [mail105 ] its self ,  and ONLY recognized by exchange server alone [mail105 ]

SO ,,, if we would to create certificate that could be adopted and recognized in ALL computer in network > then we have to use domain certificate [ CA ] 

Certificate Authority has been already installed and verified in previous article [ please click here ] 

the small part of work just to configure Mail105.pioneers.lab to use certificate authority CA in DC101 to secure [OWA ] connection 

before move to configure certificate on Mail105.pioneers.lab > please have a look to network diagram  below 

pioneers exchange setup diagram > For Better View > Open Image in different TAB

to understand diagram above : 

  1. Certificate authority installed in DC101.pioneers.lab which is responsible to issue certificate to any server request that 
  2. on Certificate authority : we have created certificate template called exchage2016  , please note we can use default certificate template which called [ web server] 
  3.  as exchange server [mail105.pioneers.lab] will generate request asking for certificate , which will be DONE at this part 
  4. Certificate Authority at  DC101  will create certificate based on Exchange request 
  5. Mail105 will import  certificate that we got from certificate authority 
  6. on exchaneg server : we will apply imported certificate to exchange services : MSTP , OWA, POP, IMAP
  7. now any computer on LAN or DMZ try to access exchange OWA > they will connect through secure connection 

Generate SSL request

the first part is already DONE previously , please visit  Certificate Authority :Part 1 ADCS

also the second part done 

now it’s time to generate request for SSL certificate on Mail server 

open Exchange control panel https://Mail105/ecp  > server > mail105 > Certificate 

you will find some self signed certificates p which as we mentioned before ] it’s NOT valid to be used locally 

 

open Exchange Control panel https://ECP > servers > certificate > click +
select create request
Certificate name
we are targeting specific server Mail105 > we don't need to use wildcard
select targeted server mail105 [ the ONLY exchange server in Pioneers.lab] Currently
select mail105
we will use OWA internally [ Intranet ]
select server name
certificate will be applied when client use https://Mail105/owa or https://Mail105.pioneers.lab/owa
certificate information > fill anything > next
request should be saved at shared folder with extension .req
i have created shared folder on my server
request created and waiting to be completed

Create certificate in CA based on Exchange request

now its’ time to move to Certificate Authority on DC101 and create certificate based on request  above 

open http://DC101/Certsrv providing crednetial pioneers\administrator

open CA site on DC101 > https:/dc101.pioneers.lab/certsrv
select request certificate
advanced certificate request
certificate template : exchange 2016
open request on shared folder
copy all conent in text file request
paste text file on saved request section > make sure temaplte is exchange 2016
download certificate
open certificate folder

import certificate to exchange control panel ECP

this step we will import certificate 

copy downloaded certificate from previous steps to share folder \\Mail105\share01

 the open ECP [sometimes we call it EAC 

rename certificate
open exchange ECP > servers > certificates > select complete
provide certificate path in shared path

apply imported certificate to SMTP and OWA

the certificate is imported but NOT applied YET 

certificate applied ONLY on POP and IMAP > we need to apply it on IIS and SMTP also
select SMTP and IIS
select SMTP and IIS
accept warning
now certificate applied to all protocols [POP ,IMAP , IIS , SMTP ]

Verify OWA From client computers

now client users will use their computers to access Exchange OWA with https 

https://Mail105/owa or https://mail105.pioneers.lab/owa 

from client computer > open http://mail105/owa
provide user name and password
check certificate
For Better View > Open Image in different TAB
certificate valid from DC101 to Mail105
Share this post
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

About Me

Maher Mustafa islaieh

Our Power in Numbers

 17 

Courses

321

Articles

3,882

Images
and All configurations images are proudly made in Pioneers Lab

Articles By Course

Recent Articles

Subscribe

Contact us

have a challenge ? don’t hesitate to contact us