Generate SAN / UC Certificate SSL on Exchange 2010

The generation of SAN SSL Certificates is slighlty diffrent in command then under Exchange 2007.

The customer has:

a) A internet site orExternal DNS Name of: customer.ch like for www.customer.ch or ftp.customer.ch

b) Active Directory Site called: customer.local

You have to know if he wants to do:

1) Activesync for Handy, IPAD; Iphone, Mobiles from outside (Iternet) [webmail.customer.ch]

2) Webmail/OWA from outside (Iternet) [webmail.customer.ch]

3) Webmail/OWA from inside (Intranet) [exchange.customer.local (Active Directory FQDN)]

4) Autodiscover from outside [autodiscover.customer.ch] OR / AND 5) inside  [autodiscover.customer.local] (Autodiscover means you ENTER the E-mail Address and Outlook find the Exchange Server and settings automatic via DNS entrys)

Then you need to buy a SAN Subject Alternative Name Certificate also called UC Certificate (Around EUR 200.- to 250.-) for 3 Names in germany. Additional nbames around EUR 20.- to 30.- per year.

 

Here is how to generate a SAN Request on Exchange 2010 for 3 Domains (SAN = 3 Domains)

webmail.customer.com (Will use it for Activesync and Webmail from Internet)
autodiscover.customer.local (Outlook 2007/2010)
exchange.customer.local  (Outlook 2007/2010 and Webmail Intranet)

In the example i KNOW that he will not use "Outlook Anywhere" (Outlook.exe on the road) if that would be the case your need a 3th Name like autodiscover.customer.ch

Make a variable $data and puts the Text of the SSL Cert into that var with:

$data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=CH, S=BL, L=Basel, o=CUSTOMER AG, cn=webmail.customer.ch" -DomainName autodiscover.customer.local, exchange.customer.local  -PrivateKeyExportable:$True

The first one is listed UNDER cn=, The other two behind DOMAINAME.  Type this command to see if all names are coreent afterwards

get-Exchangecertificate | fl

Writes the content of the variable data to a file called " c:\customer_ch.req" (Name it whatever you want)

set-content -Path c:\customer_ch.req -value $data

At this point you have the Certificate Request which you can send to Comodo, Thawtee, Your ISP or post via Webform

Next you will have to proof that the company is the company they think it is. Send driver licence, Buisness report, telephone bill etc.

You will get some files back after a few hours or days. One of it is the certificate. (Example: 10996389.crt)

The GUID of the Certificate you can get with:

get-Exchangecertificate | fl

Like Example: C582FB58CFD7932681DFBB0E68B6942435CBEECD

Here is how to import the Certificate you GOT back from the ISP into the Exchange 2010:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\10996389.crt -Encoding byte -ReadCount 0))

Here is how to activate the Certificate for Service IIS/80/web, POP3 and IMAP:

enable-exchangecertificate -identity C582FB58CFD7932681DFBB0E68B6942435CBEECD -Services "IIS, POP, IMAP"