Search Support
contact us

Let Us Make it Easy for You. Call 1-877-898-3290 for MyTime Support™. Learn More

CSR for Exchange 2007

Article Rating: 2 / 5 Votes: 24

Generating a Certificate Signing Request (CSR) on Microsoft® Exchange 2007

At this time Network Solutions® does not offer a Unified Communications Certificate, however by following the below instructions you can get two certificates for your environment; your existing mail.company.com certificate and a new Autodiscover.company.com certificate. As long as you can serve up the correct certificate at the correct time you are able to connect with no issues. 

Doing this simply requires that you setup two virtual servers on the CAS server. One services Autodiscover.company.com on one IP address and the other services the remaining web services on mail.company.com using a different IP address.

NOTE:  Each virtual site setup will need its own IP address

 Here is an outline of this setup process:

   1. Get a separate certificate for mail.company.com and Autodiscover.company.com

   2. Create a new virtual server in IIS on the CAS

   3. Create a new Autodiscover virtual directory in the new virtual server and remove the old one.

   4. Assign separate IP address, and certificates to each Virtual server

   5. Configure your internal SCP to point to Autodiscover.company.com

   6. Configure your Internal and External Service URLs to point to mail.company.com

   7. Make sure that your configured URLs will resolve internally and externally via DNS to the expected IP address for each of the services
 

In this configuration, internal domain member clients find the SCP to make the connection to Autodiscover. External clients find Autodiscover.company.com using DNS to make the connection to Autodiscover. In both cases the clients are referred to mail.company.com for the actual Exchange Services.

CSR Instructions:

CSR generation on Microsoft® Exchange 2007 uses a cmdlet accessed via the Exchange Management Shell (EMS). To access the EMS, go to the 'Start' menu > Programs > Microsoft Exchange Server 2007 and choose 'Exchange Management Shell'.

1.  Open the EMS as above. The command you need to enter looks like this:

New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "C=US, O=Example Company, L=City, ST=State, CN=exchange.example.com" -DomainName exampletwo.com, examplethree.com -Path c:\exchange.example.com.req -PrivateKeyExportable:$true

-GenerateRequest: This is the command flag to create a new CSR.

-KeySize: This controls the size of your private key. We recommend at least 2048 bit.

-SubjectName: This sets the Subject of your CSR. 'C' is Country, in the ISO-3166 two-letter standard (note 'GB' for Great Britain, US for USA etc.). 'O' is Organisation. 'L' is Locality. 'ST' is State or province. 'CN' is CommonName, or your primary FQDN for the server.

-DomainName: This allows you to specify additional domain names, as most Exchange 2007 installations require the certificate to secure more than one FQDN.

-Path: This specifies where to place the CSR.

-PrivateKeyExportable: This sets that the private key being generated is exportable, and will allow you to backup and/or move the private key later.

 

2.  Open the CSR file (specified above with the '-Path' flag) with a text-editor and copy and paste the contents into the enrollment form when requested.

Notes:
Instead of specifying all the domains within the command, there are two additional flags that can be specified: '-IncludeAcceptedDomains' and '-IncludeAutoDiscover'. Using these instead of the '-DomainName' flag will automatically add the autodiscover FQDN, as well as all of the domains Exchange is configured to accept.

The Microsoft® TechNet article for this command is available here: http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx.