Configure SSL Certificates to Use Multiple Client Access Server Host Names
Applies to: Exchange Server 2010
You can use the Shell to configure your Secure Sockets Layer (SSL) certificates to use multiple host names.
When you deploy your Microsoft Exchange Server 2010 Client Access servers, you must make sure that all your clients, such as Microsoft Office Outlook Web App and Office Outlook 2007, will be able to connect to the services by using an encrypted session without receiving an error message that states that the certificate isn't trusted.
By using the Shell, you can create a certificate request to include all the DNS host names of the Client Access servers. Then you can enable users to connect to the certificate for services, such as Outlook Anywhere, Autodiscover, POP3 and IMAP4, or Unified Messaging, that are listed in the alternate names attribute. For example, your users may be able to connect to your Exchange services by specifying the name as shown in the following examples:
- https://CAS01/owa
- https://CAS01.FQDN.name/owa
- https://CASIntranetName/owa
- https://autodiscover.emaildomain.com
Instead of having to require multiple certificates and maintain the configuration of multiple IP addresses and Internet Information Services (IIS) Web sites for each IP port and certificate combination, you can create a single certificate that enables clients to successfully connect to each host name by using SSL or Transport Layer Security (TLS).
You can create a single certificate by adding all the possible DNS name values to the certificate Subject Alternative Name property on the certificate request. A Windows–based Certificate Services certification authority should create a certificate for such a request.
Note
Third-party or Internet-based certification authorities will issue certificates only for DNS names that you are authorized to use. Therefore, intranet DNS names probably won't be allowed.
To configure your SSL certificates to use multiple Client Access server host names, do the following:
- Use the New-ExchangeCertificate cmdlet to create a certificate request file.
- Send this file to a Windows Certificate Services certification authority and use the Web server template on the Certification Authority page. This will result in a .cer file that can be imported to the Client Access server.
- Use the Get-ExchangeCertificate cmdlet to determine the thumbprint for your certificate.
- After you've imported the certificate, you can assign it to IIS, IMAP4, and POP3 by using the Enable-ExchangeCertificate cmdlet.
Looking for other management tasks related to SSL? Check out Managing SSL for a Client Access Server.
Prerequisites
- You have logged on to your computer using an account that's not in the Administrators group, and then used the runas command to run IIS Manager as an administrator. This is a security best practice. To do this, at a command prompt, type **runas /user:**Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
- You have read TLS Functionality and Related Terminology in Exchange 2010. This contains information about the many variables you must consider when you configure certificates for SSL or TLS services and how these variables can affect your overall configuration.
Use the Shell to create a certificate request file
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.
This example creates a text file that contains a certificate request in PKCS#10 format.
New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso Corporation,cn=exchange.contoso.com" -domainname CAS01,CAS01.exchange.corp.constoso.com,exchange.contoso.com, autodiscover.contoso.com -path c:\certrequest_cas01.txt
Use the Shell to import a certificate
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.
This example imports a previously obtained certificate.
Import-ExchangeCertificate -path <certificate_file_name>.cer -friendlyname "Contoso CAS01"
Use the Shell to determine the thumbprint of your certificate
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.
This example determines the thumbprint of a certificate that matches the host name of CAS01
.
Get-ExchangeCertificate -DomainName "CAS01"
Note
This example will return multiple certificates if there are several certificates that match the host name you specified. Therefore, make sure that you select the thumbprint of the correct certificate for your request.
Use the Shell to assign the certificate to IIS, POP3, and IMAP4
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.
This example assigns the certificate to IIS, POP3, and IMAP4.
Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services "IIS,POP,IMAP"
This example assigns the certificate to a server, which in turn assigns the certificate to all services that are running on the Exchange server.
Import-ExchangeCertificate -path <certificate file name> -friendlyname "Contoso CAS01" | enable-exchangecertificate -services "IIS,POP,IMAP"
For more information about syntax and parameters for the Import-ExchangeCertificate, Enable-ExchangeCertificate, Get-ExchangeCertificate, and New-ExchangeCertificate cmdlets, see Global Cmdlets.