How Do I Manage a UCC Certificate on Exchange 2007?
Important: This is article applies to customers with SSL services only.
Overview
This article will go into detail on how to generate a UCC Certificate Signing Request and install a UCC certificate on Exchange 2007.
How to Generate a UCC CSR
In order to create a CSR on Exchange 2007, you must use the New-Exchange Certificate cmdlet which can be used from the Exchange Management Shell (EMS). To access Exchange Management Shell cmdlets, you must load the Exchange Management Shell from the Microsoft Exchange Server 2007 program menu.
Exchange Management Shell
1. Click Start, click Programs, and then click Microsoft Exchange Server 2007.
2. Then click Exchange Management Shell.
The 'GenerateRequest' parameter for this cmdlet will create the CSR, as a PKCS#10 file which we will then use to create your certificate.
3. The 'SubjectName' parameter contains the details that are signed into the certificate. The 'CN' parameter is the PrimaryDomainName (Please use a fully qualified domain name [FQDN]), and should also be entered into the order form.
An example command to generate a request would be:
-> New-ExchangeCertificate -GenerateRequest -SubjectName "C=GB, O=Some Company, CN=exchange.example.net" -KeySize 2048 -Path c:\exchange.example.net.req
4. The resulting 'exchange.xyz.com.req' file can be opened in Notepad or similar text-editor and pasted into the order form.
If you plan on exporting your certificate from your server or making a backup, you need to use the below command to enable this:
-> New-ExchangeCertificate -GenerateRequest -SubjectName "C=GB, O=Some Company, CN=exchange.example.net" -KeySize 2048 -Path c:\exchange.example.net.req -PrivateKeyExportable $true
This is the bare minimum that we require for UCC CSRs. Adding extra flags to the above command(s) may not have the intended result. We do not need the other domains included in the CSR, as there are other places for them on the UCC order form. To include them in the CSR use the following command:
-> New-ExchangeCertificate -GenerateRequest -SubjectName "C=GB, O=Some Company, CN=exchange.example.net" -KeySize 2048 -DomainName server1, imap.server1.com, exchange.example.net, pop.server1.com -Path c:\exchange.example.net.req -PrivateKeyExportable $true
Note: CN = Common Name, C= 2 letter ISO country code, O = Your Company Name
For more information on the Office Communications Server 2007 Certificate Wizard and installing certificates for Office Communications Server, see the deployment documentation available on the Office Communications Server 2007 Technical Library.
How to Install a UCC Certificate
Once you have purchased your UCC certificate from our partner Sectigo, and the domains have been validated as under your ownership, you will receive an email containing the certificate.
The certificate file should be copied onto your Exchange 2007 server. It is then installed using the Import-ExchangeCertificate cmdlet.
Note: Do NOT use the Certificates snap-in for the MMC to install the certificate. This will not work for Exchanga 2007!
Open the Exchange Management Shell:
1. Click Start, click Programs, and then click Microsoft Exchange Server 2007.
2. Then click Exchange Management Shell.
In this example, the certificate file is copied to the server as the file c:\exchange_example_net.crt
Note: If a UCC was purchased, your certificate file will be ORDER_NUMBER.crt, or your certificate file will be the FQDN that you applied for.
3. Import-ExchangeCertificate -Path c:\exchange_example_net.crt | Enable-ExchangeCertificate -Services SMTP ; where c:\exchange_example_net.crt is your certificate that you received.
The 'Services' flag sets which services the certificate is enabled for.
Valid options include: SMTP IMAP POP IIS UM
To enable multiple services:
Import-ExchangeCertificate -Path c:\exchange_example_net.crt | Enable-ExchangeCertificate -Services "SMTP, POP, IMAP, IIS" ; where c:\exchange_example_net.crt is your certificate that you received.
Note: Once you have installed the site certificate, you may need to follow the procedure outlined in "Root and Intermediate Certificate installation via MMC" with the other files that you have been sent in order to complete the installation.