Unified Communications with Microsoft
Communications of the world, unite!
Wednesday, December 30, 2009
Free SSL Certificate for your Exchange 2010 server
I found that the free edition does not support SAN and so, you might need another cert. for autodiscover.your_domain but not a big deal. Class 2 and above will do it and can t beat their prices I will seriously reconsider changing over when our production cert. expires.
Fill in the form
and click Continue. An email with validation code will be sent to the email address you ve used on the form. Enter it and continue. You will be taken to your toolbox.
First thing to do here is to verify your domain click Check DNS of Domain link. Enter your domain name and TLD, and click Check. Another validation email will follow you know the drill. Once your domain is verified, it will appear here:
Now it is time to create your Exchange 2010 CSR (Certificate Signing Request). Go to your Exchange server, start EMC and go to Server Configuration. Click New Exchange Certificate on right pane. Give it a name first:
Because we want (and can only) test some basic functionality, not all options will be used here:
On the next screen you will see some SAN s but StartSSL free edition will disregard it any way
On the next screen you need to enter some info (again it will be disregarded) and also a location where the CSR will be saved. In this case c:\NewReq.req
Click Next on the last screen and the request will be processed.
Locate .req file, open it with text editor and copy the text.
Go to your Exchange server, create new text file name it MyCert or so, paste the text and save it. ***NOTE. Change the file extension to .cer to avoid confusion later.
You need to save Server Certificate Bundle with CRLs (PEM encoded) to a location accessible from your exchange server. Go back to your exchange server, locate the file ca-bundle.cer if you used the default name, right click over it and select Install Certificate. Accept the default settings.
Complete the steps in the wizard (you will have to select the .cer file you created earlier), assign the services associated with this certificate and I restarted the server just in case
I just got off the phone with their tech support.
Works fine for me 🙂 Thanks for the guide!
Any idea on how to get this to work with dynamic DNS?
What about SAN ? or one domain_name iin cert is correct for Exchange 2010?
Hi thank you for the howto. works perfectly with rpc/http but i have certificatz error on local outlook. It saus that the name of the certificate doesnt match with my local server name.
Tangui, you can create a new forward lookup zone on your internal dns that matches your domain s external name. Create than a A record with the internal ip of your server, something like exchange.domain.com . Configure outlook to point to this address instead of you currently have.
You mention that I can add a second certificate for autodiscover.domain.com. Can you explain how this is done?
You have two options:
1. Sign up for Class 2 certificate service. It is very cheap, it is for two years, and comes with unlimited certificates, unlimited SAN, wildcard, you name it.
2. Use Reverse Proxy with multiple listeners, where single certificate is assigned to every listener.
Tried to use the Startcom SSL – but it did not work properly.
So I ended up buying a domain validated Comodo UCC – got a good price, it was issued in less than 10 minutes and it definitely works with Exchange 2013 🙂
It should also be outpointed that the free class 1 certificate from StartCom MUST NOT be used for any commercial purpose.
Thanks for the referral – bought a PositiveSSL Multi-Domain Certificate from SSLPOINT – hassle free order process, excellent support. Highly recommendable !
Good article, thanks for sharing the great stuff about microsoft.