Exchange 2019 Certification Request - manual

Please do not laugh. Beginners are born every day.

I walk around this website and I do not find how to manually request a certificate for Exchange 2019. The documentation is wonderful, but it is created like all visitors are Experts in Certification Request, Revocation, etc.

My intention is to obtain an SSL certificate for Exchange 2019 server since without this certificate it is not possible to setup on Android mobile phones.

if someone is kind to explain to me how can I request this on this website I will appreciate very much.

Before setup any sort of "automatically certificate request" I need to see that manually work normal to gain trust in the site procedures, step by step.

Sorry for bothering you with this silly questions.

Regards,
Bogdan

1 Like

There are many "ACME clients" (software tools you can use to request Certificates from Let's Encrypt).

The one I develop is https://certifytheweb.com and that provides a full Windows UI for requesting certificates via Let's Encrypt and other certificate authorities. Certificate are automatically renewed using a background service.

Certify The Web will by default deploy to a local IIS installation (and store the certificate in the local machine store) but it also has a 'Tasks' feature which includes a basic "Deploy To Exchange" task, which in turn basically runs the following script (you can also run custom scripts etc): certify-plugins/Exchange.ps1 at master · webprofusion/certify-plugins · GitHub

Here are some other ACME client options to consider as well: ACME Client Implementations - Let's Encrypt

4 Likes

Hi @Xperience and welcome to the LE community forum :slight_smile:

We don't come here to laugh - we come here to help (those that need help); and you fit that need :wink:

As mentioned, there are several good ACME clients for Windows.
My question to you (to help us better help you) is: Can the Internet reach your Windows 2019 Exchange server via HTTP?
[OR can that be made to happen?]

1 Like

When Installed Micrsoft Certification Authority on Windows servers I was used to Copy Request, Paste, and than copy result and voala certification.
The automatically process sounds very good but I never see it and not know it.
If you are building something working really smooth I congratulate you if it is really smooth.
I spend 6 months researching why I can not setup Android on phone and the last point i conclude is that I do not have SSL certificate since ALL other settings are completed.
So to conclude: I do not know how to handle your solution. Should I download something and install on Exchange and will work alone of I should be Developer to can solve this ?

Yes, the server is accessible since I have few clients who need to be able to acces their hosted emails to me.

After full install of Exchange 2019 and full setup everything work excepting Android Clients and as I read and study I found that the only missing piece on my installation is Certificate so I would like to try this but I never fully understand (not find the right documentation) what this certification it is and how to eat at breakfast.

So if there is something who do everything automatically it will be lovely but if there is something who are only Partial Automatically and need to be developer to can finalize than I better stay out since if something goes wrong I will DELETE everything and install from scratch since patience is not anymore one of my virtues.

I install your software CertifyTheWeb on Exchange server but it is not very intuitive (fore someone who do not Deeply nderstand Certification Logic) and I'm very affraid to joust click and next on Production Server since if something goes wrong there will be no one to fix it arround.

I choose New Certificate / I select Site "Exchange Back End" / than adding domain "bizarnet.ro" than pressing test and got an error .. since on this server there is no Public Website but only the Exchange., I delete domain "bizarnet,ro" but add "email.bizarnet.ro" and press test and got 3 green test results.
and than ... what next since Exchange already have 4 certiicate pending requrests.

Really ... a Exchange certification (on money) will be something very welcomes than the need to be developer to can do right. :frowning:

I have a look on Authorization where I notice there is something mentioning about DNS.... I have my own dns and can not add there.
I'm a total mess about Certification :frowning:

Your software is very useful to someone who ALREADY KNOW IT .. but for a newbie .. to be used in production environment .. it is a too big risk to mess something.

I congratulate you for this work, look nice .... , but unfortunately not know how to handle.
Once again, sorry for my totally miss eXperience with Certification.

Hi, start here: Getting Started | Certify The Web Docs

I'm pretty sure we explain everything that's relevant to the process but we're very open to feedback. Yes, certificate sand certificate validation is potentially complex but you do need to invest at least a little time to learn the basics:

  • a certificate must have your domains on it (including subdomains/hostnames)
  • each domain/subdomain requires validation via Let's Encrypt. The easiest method s the default http validation and Certify The Web will run a temporary http validation service for you, there is no particular need to run a webserver.
  • You then click 'Request Certificate' to order your certificate from Let's Encrypt
  • If that all works OK, you can then look at deployment tasks for exchange which will automate applying the certificate to those services ( not that you have it).

Our application is used by well over 100,000 people per day to manage their certificates and we don't often get feedback saying it's difficult to use, but that's not to say that it's not, we just don't regularly get that feedback.

If you prefer you can use one of the alternative acme clients, maybe you will find them easier to use. Check out certbot, posh-acme, win-acme etc. You may find win-acme easier because it asks questions one at a time rather than presenting a whole UI for you to use.

Ultimately, we can't help you if you just don't want to have to deal with all this certificate stuff (in which case you should delegate to someone else). I understand it can be frustrating to have to use certificates, and the processes can be complex, but it's part of modern application administration and you need to either use certificates or get someone else to do the IT administration for you.

3 Likes

Big thank you for your time. My need of SSL is on Exchange mainly and if everything work I would like to use on 4 x ForeFront TMG and Web Hosting server.
I cross fingers and experiment more with your software CertTheWeb on Exchange and I manage to request a certificate for Exch server and than go back to Exch Administration and from there I enable to be active for IIS .... than .. surprise ... running Microsoft Remote Connectivity Analyzer that conclude to:

"Analyzing the certificate chains for compatibility problems with versions of Windows.
The test passed with some warnings encountered. Please expand the additional details.

Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."

So there si something wrong with Certificate Authority who release this certificate (Let's Encrypt) and Microsoft, it sounds to me that Let's Encrypt is not recognized by Microsoft as something with Reputation.
Anyway .. my Android still not working because multiple Test Fails of SSL Problems. :frowning:
I will continue trying to experiment more.

On another hand I was surprised that Let'Encrypt Certificate I request via your app it was only for 89 days, and this is not all right since , if I remember well, when I was installed CA from Microsoft on Windows server (old times) it was released Certificate valuable for 1-3 years.

So something does not fit with this "Certification yet". I will continue digging and concluding somehow even I bother someone with that occasion.
I have no idea why this is a hassle more than necessary.

1 Like

all of this are CLI based and probably FIT a "linux" kind of the guy not a Windows one who have 4 jobs in the same time so not fit me at all.

Does is any way to use your software CertTheWeb but install a Windows Accepted Certificate who allow me to pass test made by Microsoft Remote Connectivity Analyzer ? and not 90 days only since this looks to me that I have too much often trouble to keep updating?

Any way to can use your software and fix my Exchange Certificate problems and Automatically Work alone once Setup and Start ?

Sorry for my silly questions.

What would fit my need will cover the following requirements:

  • one time installation software
  • running as service
  • one time initial setup or request
  • automatically update certificate (request/install) based on expiration time
  • after Certificate Update Complete, automatically announce on Remote Desktop a message "We joust update certificate. Please do not forget to assign in IIS, Exchange or application."

and this solution would cost $ per year or 5 years.

That would be something who worth to focus my attention for installation and initial setup to can forget about this after.

PS: after requesting a certificate .. in Exchange Admin it is shown but need manually to be assigned to IIS, or POP3 or IMAP or SMTP., that's why I said to write the "Remembering" kind of message

Hi, all of these are features that Certify The Web provides out of the box by default:

For this part, you could run a script as a deployment task:

  • after Certificate Update Complete, automatically announce on Remote Desktop a message "We joust update certificate. Please do not forget to assign in IIS, Exchange or application."

However the general idea if that you script the certificate deployment to these other services. IIS is already automatic in Certify The Web, but other services not covered by built-in deployment tasks require specific scripting (which you have to provide) :Scripting | Certify The Web Docs

You mentioned having to apply the certificate in the Exchange UI. You should only have to do this once to configure the services, subsequent renewals should be automatic if you are using our built-in Deploy to Exchange task:

after requesting a certificate .. in Exchange Admin it is shown but need manually to be assigned to IIS, or POP3 or IMAP or SMTP., that's why I said to write the "Remembering" kind of message

Regarding certificate features and compatibility:

Let's Encrypt certificates are valid for 90 days, which is why you must automate them using a tool such as this. This is not configurable and is a feature of the Let's Encrypt certificate authority. Other CAs do exist and you can use them with this app Certificate Authorities | Certify The Web Docs

Regarding the "Microsoft Connectivity Analyzer" you will need to speak to Microsoft about that, but Let's Encrypt certificates are valid and trusted for modern devices which trust the "ISRG Root X1" root certificate. If this certificate is not in your Windows trusts store it means your system is not automatically updating root certificates and you need to find out why that is.

You mentioned your Android device was not working. I am assuming this device is running Android 7.1 or older - this is a well document compatibility problem with Android. If your devices is running a newer version of Android and is up to date then there is no good reason why it would be incompatible.

Ultimately, if using Let's Encrypt seems too difficult you do still have the option of simply going to a commercial CA and buying a certificate that's valid for a few years (possibly a wildcard certificate for multiple uses). You don't have to use Let's Encrypt (or any other ACME CAs) and you can manually apply certificates if you prefer.

2 Likes

Before going to a paid CA cert: There is still the possible option of using another (FREE and ACME friendly) CA. Which would employ a completely different trust path and may work better in a mixed (older and newer) Android scenario.

3 Likes

Indeed, it's worth mentioning that BuyPass Go certificates are valid for 180 days (but they don't support wildcards). ZeroSSL are valid for 90 days (but they are the most similar to Let's Encrypt in terms of certificate features).

3 Likes

I solve the problem with Android connectivity .. after 6 months of research. It was a delicate "inheritance problem" who was Disabled in User Account / Security / Advanced ... few years ago who was the Recommendation of that time from MS :slight_smile:

I will try to contact you offsite to clarify few behaviour of your CertTheWeb App in order to be sure that this is what I need since I take into consideration the possibility to purchase.

Very much thank you for your patience with me .. in the first place :slight_smile:

Thank you for suggestion. Please fell free to recommend.

Your APP + Let'Enctypt + Your APP some new feature = eXactly what I looking for myself and many others in my case.

I can create some guidelines for your new version :slight_smile:

1 Like

Thanks, always happy to get feedback on things to improve. Yes you should definitely evaluate it as completely as you can, in order to determine if it's right for you.

3 Likes

I'm not worried if it is right for me. I'm worried if you are open to improve it ?
If you automatize Renew Certificate on IIS and Exchange .. fully and completely automatic ... than it will be right for me for sure. Are you willing to update to Automatically manage Exchange certification and maintain it ?

Well, we already provide that feature (via our deployment task), did you mean something else more automatic like not having to add the task at all? Outside of our core effort to target IIS we try to make it so the app can renew a cert for any type of service either via tasks or scripting (there are thousands of possible services).

So yes, this is and will be maintained, it's my full time business, not a hobby.

2 Likes