SSL cert for Exchange 2013

Exchange 2013

we are about to renew our Verisign cert when i chanced upon this website. has anyone used the ssl cert for Exchange OWA generated by this new CA authority?

is it advisable to switch to it?

1 Like

Yon need wait for some time. Now the CA authority do not provide formal SSL cert.

You would save some money by using a LE certificate, but the service will not be publicly available until November.

Actually, the question is pertinent to all Exchange servers - starting with Exchange 2007 to Exchange 2016 (yes, it’s been released a couple of days ago).

If I understand correctly, the free LetsEncrypt certificates (including the SAN/UCC certs that are needed for Exchange) will be publicly available November 16th, 2015.

In the meantime, you can apply for the beta program - I just did - and if you are approved, request/install a multiple domain certificate on the Exchange server.

Despite the fact that the beta cert will not be trusted by clients - the Root CA is not among the trusted Root CA - you can manually add it to the trusted CA via a Group Policy and test the whole process in advance; at least that’s what we are planning to do.

Finally, we’ve been using and demonstrating in our screencasts GoDaddy certs (not affiliated in any way with GD) just because these used to be the cheapest certificates (not anymore :confused: ). If the communication is between your network clients and your Exchange server, it simply doesn’t make sense paying for an expensive commercial certificate.

The bottom line is, if LetsEncrypt offers a straight forward, fast, and easy way to request and get free multiple domain certs, that will be the choice for Microsoft Exchange server certs.

Is there a way to obtain LE certificates to install on a domain on Office365? If so, I’d welcome a pointer. Most of the beat program points at requiring much deeper access to the target server than an O365 Admin will have.

well you can try to get the certs via manual mode from another PC…

someone could explain me how to get the certificate exchange?

thanks

When we are talking about requesting and installing Letsencrypt certificates on a Windows Server, the only mature and dependable solutions that we’ve found are based on Eugene Bekker’s ACMESharp project (https://github.com/ebekker/ACMESharp) and are:

  1. The PowerShell (POSH) module written by Eugene Bekker.
  2. The letsencrypt-win-simple, written by Bryan Livingston (https://github.com/Lone-Coder).

We’ve tested both and we are publishing a step-by-step video about the automatic installation and renewal process with them.

The first one – the POSH module – is suitable for Exchange certificates. Recently, Eugene has updated the ACMESharp library and included the long awaited option to request and get SAN (Multiple Domain) certificates, which is exactly what’s required for Exchange server certificates. As we are talking about Exchange server, the certs need to be enabled in EMS, not only installed on the Exchange Web Site; hence, the need to use the POSH module.

The second solution is more suitable for just IIS web servers. Even if you have multiple web sites on the same IIS, it lists all the sites, so you can choose which of them need to get a cert, then installs and HTTPS enables the sites, and finally schedules a task to update the certs automatically (that video is almost ready – will be published within a week).

In short, if you need an Exchange SAN certificate, you should be looking into the PowerShell module.

1 Like

So, I’ve tried the steps and created a SAN certificate for my five email domains (mail.domain.com and autodiscover.domain.com for each) using POSH, but I’m pulling a blank as to how to import them into Exchange 2013. It looks like what I should have done is have Exchange generate the certificate request and then use that somehow with POSH to have Let’s Encypt create the certificates, then import those into Exchange. Can anyone step me through the process?

OK, I’ve given up and paid to renew my old certificate. :disappointed: Hopefully there will be some method for using the Let’s Encrypt certs in Exchange by next year.

I have requested and deployed LE certs to two Exchange servers now (2010 and 2013). All certificates are being requested from a Linux VM I built specifically as a central clearinghouse for all LE certs, no matter what server they were destined for. (Edit: The certs from LE are requested using DNS verification, so I don’t have to point various domains directly at the VM itself.) OpenSSL is used to export the private key, certificate, and intermediate into a single PKCS#12 file suitable for import on Windows.

Exchange 2010 accepted the imported certificate without problems, though the exported certificate needed to have a password set on the private key before Exchange would accept it.

Exchange 2013, on the other hand, was much more annoying to deal with. Though I could import the certificate, Exchange would strip the private key off the cert, rendering the certificate useless. I eventually figured out how to get around this using a three-step process.

First, import the certificate through the built-in Certificate Management MMC (outside of Exchange). This imports the entire certificate, along with the private key. Second, import the certificate using Exchange 2013. This essentially notifies Exchange that there’s a new certificate for it to use. Exchange will break the certificate by severing the connection to the private key. Third, use the certutil tool to repair the Windows certificate store. Since the private key was originally imported in the first step, certutil will be able to rejoin the severed private key with the public key, allowing the certificate to be successfully selected for use in Exchange 2013.

I don’t know why it does this. :stuck_out_tongue: I’m planning on doing more work with figuring out why this happens (and try to avoid it) on the next renewal.

Here is an update:

We’ve tested three Let’s Encrypt Windows clients - on Windows Server (IIS) running 2008R2, 2012R2, 2016, and on Exchange 2013/2016 Server 2012R2:

  1. Letsencrypt-win-simple - IIS and Exchange server (successfully)
  2. ACME-posh - IIS and Exchange server (successfully)
  3. Certify for Windows (not good)

Here are the details:

  1. Letsencrypt-win-simple - we’ve built version 1.9.1.1 from source and tested it on Windows Server (IIS) running 2008R2, 2012R2, 2016. Works flowlessly - both new cert requests and cert renewals. We’ve published a detailed video and the build that we’ve used here:

We’ve encountered the following “issues”:

  • The sites that you request a certificate for need to have a FQDN in their http bindings; otherwise, they are not listed and you need to use manual mode, which works fine.
  • You can request and get a SAN (multi domain certs), but that also requires manual mode.
  • Installing a SAN certificate in Exchange also works, but it’s a pain - requires manual mode and a lot of adjustments. BTW, the Exchange 2016 instructions on the Letsencrypt-win-simple WIKI are not correct - you need to use the Enable-ExchangeCertificate commandlet and assign the new Let’s Encrypt SAN cert to all services (IMAP,POP,SMTP, and IIS), not just the Default Web Site. That’s not possible until you move the generated and installed SAN cert to the Local Machine/Personal store. Bottom line, at that point, the Letsencrypt-win-simple is not suitable for automatic Exchange SAN certs requests and renewals unless you are fine with performing this manually, which defeats the purpose of the ACME protocol - automating the whole procedure, while providing better security.

2.ACME-posh v0.8.1 is the client that 's suitable for Exchange SAN certificates - works just fine and is suitable for fully automating the cert issuance and renewals - our step-by-step video is almost ready.

One issue that we’ve encountered is that the IISChallengeHandler was failing on Server 2012R2 and Server 2016 - it’s running fine on Server 2008R2. It turned out the issue is related to the config file that’s generated in the directory where the challenge file is created. After we’ve modified the config file and recompiled, the client works perfectly. We’ll publish the compiled build and the script we used with the video, as well as the changes that we’ve had to make.

3.Certify for Windows - big disappointment - doesn’t work and it seems the project is abandoned; no updates since March, 2016.

Best regards,

Dean

Hi Dean,

Have you got a link to your step by step video for auto renewing certificates form exchange servers.

I am running Exchange 2007 and have successfully created (win-simple) and installed letsencrypt SAN certificate but now it has come up for renewal and I am stuck.

I see in you post above you say you have a step by step video nearly ready using the ACME-posh. any eta.

Regards,

Rod.

Hello!
Any hint for a date on the stepbystep video for use ACME-posh san certificate?

The video is ready:)

We’ll be publishing it next week, with the compiled latest build as well.

1 Like

Was just checking to see if the video was published?

We’ve completed it today - had to redo some of the steps to add more scenarios - adding/removing SAN and automatic renewal.

Should be available within a day or two:)

The video is published and available here:

Your feedback and questions are more than welcome on the corresponding blog page:

http://www.netometer.com/blog/?p=1777

Regards,

Dean

1 Like

Hello,
just tried on Exchange 2013 on W2012R2 machine. I’m not a pro so i have some difficultes…

First: (resolved)
the command on 2013 to get Autodiscover (or set) info is Get/Set-ClientAccessServer , right?

When you import some files on a 2012R2 machine you have to unblock them, so if the module cannot be imported check the files are blocked.

So, i arrive at the time i can launch the script but i get this nasty error:

`New-ACMECertificate : Impossibile trovare un parametro posizionale che accetta l’argomento ‘server.domain.it_2016-11-30–18-25’.
In C:\ACME-Exchange\ACME-Exchange.ps1:66 car:1

  • New-ACMECertificate $CN -Generate -AlternativeIdentifierRefs $SAN1, -Alias $SANc …
  •   + CategoryInfo          : InvalidArgument: (:) [New-ACMECertificate], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,ACMESharp.POSH.NewCertificate`
    
    

Server.domain.it is just the obfusched dns name.
I want to configure only 2 names so i’ve configured only:

#NOTE: Uncoment and edit the lines bellow
#----------------------------------------
$my_email = "admin@5demo.com"
$CN = "server.domain.it"
$SAN1 = "autodiscover.domain.it"
#$SAN2 = ""
#$SAN3 = ""
#$SAN4 = ""

Register-FQDN $CN
Register-FQDN $SAN1
#Register-FQDN $SAN2
#Register-FQDN $SAN3
#Register-FQDN $SAN4

And at last:

New-ACMECertificate $CN -Generate -AlternativeIdentifierRefs $SAN1 -Alias $SANcert_alias *>&1 >> $acmelog

Auhtorization went good, both domain get valid status. I get that error after the last valid status (the autodiscover one)

Any hint??

Hi Federico,

If the validation is fine, you are almost there.

Q: The command on 2013 to get Autodiscover (or set) info is Get/Set-ClientAccessServer , right?
A: Yes, the command has changed slightly in Exchange 2016 server - service instead of server.

Q: Auhtorization went good, both domain get valid status. I get that error after the last valid status (the autodiscover one). Any hint??

A: We discuss and demonstrate this case about the end of the last step (step4) - just watch it more carefully again. If you want to have just one Subject Alternative Name, the autodiscover in your case and in our demo (step4 - removing names from the Exchange SAN certificate), you need to add the CN as SAN. That way, you will have two SAN parameters in the New-AcmeCertificate command. Here is how your command should look like:

New-ACMECertificate $CN -Generate -AlternativeIdentifierRefs $CN,$SAN1 -Alias $SANcert_alias *>&1 >> $acmelog

We explain in the video that the command expects two parameters for the “-AlternativeIdentifierRefs”; that’s why we add the CN as a second parameter.

Regards,

Dean