Categories

Configuring Exchange 2010 Services for using wildcard certificates

I recognized, that many people do have problems with configuring Exchange with wildcard certificates. The reason for this is probably that it’s not possible to configure all services the same way and each need a special configuration that the administrator have to think of. I’ll try to give you a comprehensive guide how to configure the whole Exchange with wildcard certificates.

Let’s start with SMTP and IIS, to see what certificates are activated for what services you can use Powershell cmdlet get-exchangecertificate. You should use this command on Exchange Server itself, running it from remote Powershell session will not show you the services being activated for the particular certificate.

[PS] C:\Users\administrator.IN\Desktop>Get-ExchangeCertificate
 
Thumbprint                                Services   Subject
----------                                --------   -------
BC413FCE3830A0D4CDF793BDD4E9F5AC1348E93A  ......     CN=Ex2010.contoso.com
95C280E27ADF33C6A0D726C622DCDCCCA4A10272  ...WS.     CN=*.contoso.com, OU=Home, O=Home, L=MUC, S=BY, C=DE</span>

Above you see a result from such a command, you see that on the server are installed two certificates, of which one is activated for IIS (W) and for SMTP Service (S). The certificate enabled for these services is a wildcard certificate. You enable a certificate with the command enable-exchangecertificate -services -thumbprint, where you use the thumbprint of the certificate which is installed on the Exchange Server.

Normally you would use this command also for enabling the certificate for other services like POP3 and IMAP4, this is not possible with wildcard certificates. In that case you have to use set-imapsettings -X509CertificateName and set-popsettings -X509CertificateName respectively to enable a wildcard certificate on Exchange Server

[PS] C:\Users\administrator.IN\Desktop>Get-PopSettings
UnencryptedOrTLSBindings  SSLBindings                       LoginType                         X509CertificateName
------------------------  -----------                       ---------                         -------------------
{:::110, 0.0.0.0:110}     {:::995, 0.0.0.0:995}             SecureLogin                       mail.contoso.com

Above you can see my pop settings and enabled certificate. While setting this command you shouldn’t use *.contoso.com as the certifcate name, instead you need to put the right FQDN name, your users will use to connect to Exchange.

Also for federation trust you shouldn’t use enable-exchangecertificate cmdlet with wildcard certificate. For that you can use new-federationtrust or set-federationtrust cmdlets.

Now as we set the Exchange Certificate we need to do some adjustments to be able to successfully connect to the exchange with our clients. Of course I assume the used certificate is a 3rd party one and is fully trusted by the clients, so we don’t need to add the certification authority certificate to Trusted Root Certification Authorities on each and every client device. So how we can connect with outlook anywhere using our new certificate. Firstly we need to enable Outlook Anywhere on our Exchange Server, secondly  we need to tell Exchange to use our wildcard certificate for outlook anywhere connections. We can do that with the Powershell command

Set-OutlookProvider EXPR -CertPrincipalName msstd:*.contoso.com

We should also set the Outlook client with the same settings, although outlook 2010 using Autodiscover should automatically set the correct settings in the user profile, the good idea is to check if everything is correct.

This way we configured Exchange to support wildcard certificate. Now we can connect to OWA, POP3, IMAP3 or even Outlook Anywhere, using secure connections.

This post is also available in: German, Polish

Comments are closed.