I finally took the plunge and decided to get a certificate from a public Certificate Authority (CA) for my Exchange Server 2007 server at home. A certificate that supports Subject Alternative Names (SAN certificate, aka “Unified Communications” certificate), no less. Having dealt with a number of CAs in the past, and having heard some horror stories about getting a certificate that supports Subject Alternative Names, I wasn’t quite looking forward to the exercise.
Thanks to Office Communications Server (OCS) MVP (and fellow Zenpriser till recently… ) Lee Mackey, the CA he recommended – DigiCert – provided exemplary customer service.
Chain of events:
– Generate SAN certificate request using the New-ExchangeCertificate command from Exchange Server 2007 (for a couple of domains, includes the Autodiscover.domain.com fqdn).
– Submit request to DigiCert
– Get confirmation emails from DigiCert (for multiple domains)
– Within a few seconds, while I’m still clicking on the confirmation messages, I get a call from a DigiCert rep to confirm the details
– The rep informs me the physical/mailing address with the domain registrar for one of the domains is not current or not the same as the one I provided when requesting the cert
– Rep waits while I correct it on the domain registrar’s web site
– Confirms the address is updated in the registrar’s WHOIS info
– Asks for a photo ID to be uploaded on their secure site
– I email him the photoID instead of uploading it
– By the time I’m back from the scanner/copier to my desk, and hit refresh, the photo ID shows up on DigiCert’s web site
– Within a few minutes I get the certificate in by email
– Install certificate and test it with the different domains – works!
An impressive and positive customer service experience – these guys rock! If you’re in the market for a digital certificate, check them out.
Requesting and using certificates for Exchange Server 2007
- KB 929395 Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007
- Use the Import-ExchangeCertificate command to import the new certificate, and Enable-ExchangeCertificate command to enable the new certificate for Exchange services you want to use it with (IIS, SMTP, IMAP, POP, and UM)
- Also recommend reading the team blog post by John Speare: Exchange 2007 lessons learned – generating a certificate with a 3rd party CA
- SAN certificates cost significantly more than regular SSL certificates as of now. Figure out if using multiple regular certificates (may require additional IP address) works out for your deployment.
ISA Server issues
- Forms-Based Authentication: If using ISA (ISA 2006 in my case) to publish Exchange CAS URLs for OWA, disable the Forms-Based Authentication on Exchange’s OWA virtual directory, else you’ll get two Forms-Based Auth pages and will end up having to authenticate twice – once with ISA, and once with Exchange.
- A useful doc if you’re publishing with ISA 2006: Publishing Exchange Server 2007 with ISA Server 2006.
- ISA and SAN Certs: ISA 2004/2006 still have issues with SAN certs, discussed in the ISA team blog: Certificates with Multiple SAN Entries May Break ISA Server Web Publishing.