The following steps outlines the steps involved in configuring your Exchange Server to use a Godaddy SSL UCC certificate.

Before you begin, make sure that you have purchased an Exchange Server  UCC certificate from Godaddy. A UCC certificate allows you to have multiple SAN’s (Subject Alternative Name) necessary for the proper operation of Exchange. For example, having a SAN named autodiscover will allow your smartphone users to connect to the Exchange server without having to manually configure setting.

Open Exchange ECP and navigate to servers –> certificates.

image

Click on the + sign to start the certificate wizard. Choose create a request for a certificate authority and then click next.

Give the certificate a friendly name and then click next. Skip the wildcard certificate section by clicking next.

Select the server where the certificate will be stored and click next.

Highlight the default domain and

Select the access type (OWA, Autodiscover, etc.) and click on the edit icon to edit the settings.

The Internet access domains will display by default <not specified>, change them to your FQDN or to the following these settings:

Access
Domain

Outlook Web App (Internet)
mail.yourdomain.com

OAB
mail.yourdomain.com

Exchange Web Services
mail.yourdomain.com

Exchange ActiveSync
mail.yourdomain.com

Autodiscover
autodiscover.yourdomain.com

Outlook Anywhere
mail.yourdomain.com

When finished, click next.

The next screen will display the SAN names. Remove all of the SANs except the public FQDN SANS.

image

The sans that should be left are mail.yourdomain.com, yourdomain.com and autodiscover.yourdomain.com.

In the next window, enter your organization’s information.

image

Finally, save the certificate to a shared network folder folder. name the request certrequest.txt if possible.

image

Next, locate and open your certificate request then highlight and copy its content.

image

Now sign back into your Godaddy account in order to process the request. Locate the new certificate and click on the launch button. You will get a large paste area where you need to paste the contents of the certrequest.txt file.

image

Right click in the paste box and select paste from the pop up menu. Agree to the terms and conditions and click next.

Make sure that all of your SAN FQDN’s are present and match those that we specified in the Exchange certificate wizard.

image

You will receive a confirmation e-mail that you must approve by clicking on the confirmation link. Look in the pending requests page for the download arrow to appear solid instead of ghosted. This indicates that the certificate request is ready to download. Click update list periodically if necessary, it may take a couple of minutes to appear solid after you approve the SSL e-mail.

image

If you are in a hurry or if you get stuck, call GoDaddy. I don’t usually opine about organizations but I do have to say that GoDaddy has excellent customer service, especially when it comes to SSL certificates.

When you download, select Exchange 2010 as the type from the drop down menu. Download the certificate to a network share that’s accessible by the Exchange server.

You will need to extract it since it’s compressed in a zip file.

image

You will notice two files: a certificate file and an intermediate certificate file.

Log back in to the Exchange server’s ECP and go to servers –> certificates. Look for the pending request and click on the complete link.

image

Use a UNC path to point to the certificate file (not the intermediate certificate) click OK to import it.

image

Now, we need to import the intermediate certificate. Open PowerShell and execute MMC to open the Microsoft management Console.

Click on file –> add/remove snap in  and select certificates from the available snap ins list the click on add. When prompted, select computer account from the certificates snap in. Select the Exchange server when prompted to select computer.

Once the snap in for certificates is showing expand  certificates –> intermediate certificate authorities –> certificates.

Right click and select all tasks –> import and import the intermediate certificate.

image

Finally, go back to the Exchange control panel (ECP) and navigate to servers –> certificates.

Highlight the default domain and click on the edit icon. Select the services that will use this certificate and then click save.

image

Now we need to configure the virtual directory internal and external URL’s. Open ECP and navigate to servers –> virtual directories. Select OWA and click on the edit icon.

image

Change the external URL to the URL that matches the certificate.

image

Do the same for ActiveSync, OAB, ECP and EWS.

image

If you are planning to use Outlook Anywhere (Outlook RCP over HTTPS), navigate to servers and click to edit the server settings. Click on outlook anywhere and change the internal and external FQDN to the correct FQDN.

image

When done, open a command prompt on the Exchange server and execute IISRESET in order to apply the changes.

image

If you want users to authenticate using domain\user, then we are finished. Outlook Anywhere and ActiveSync devices will prompt you for login credentials and you should use the domain\user syntax. If however, you want to simplify things for the end users, you can create a UPN suffix for your domain in order to make autocomplete less complicated.

Creating a UPN Suffix

Creating a UPN suffix allows users to authenticate using their e-mail address, making the autocomplete process a single step. To do this, let’s create a UPN suffix so that Outlook Anywhere users and Active Synch Users can authenticate using the user@domain.com syntax.

In the Domain Controller, open Active Directory Domains and Trusts.  Right click on Active Directory Domains and Trusts and select properties. In the UPN suffix field, enter your domain name and click add, then OK.

image

When you create a new user for the Exchange account, select the user’s UPN from the drop down list.

image

The final piece will be to make sure that your connecting services are using the FQDN of the CERT instead of the Exchange server’s local domain or its NetBIOS name.

If your services are not using the correct FQDN, you will get the error:

“The name of the security certificate is invalid or does not match the name of the site.”

You can use the Set-ClientAccessServer command to configure this setting.

  • Set-ClientAccessServer -Identity “mbx1” –AutodiscoverServiceInternalURI https://FQDN/autodiscover/autodiscover.xml

For more information about this, click here to view Daniel Kenyon-Smith’s post about certificate mismatch errors .

Leave a comment

Your email address will not be published. Required fields are marked *