Wednesday, December 30, 2009

Free SSL Certificate for your Exchange 2010 server

Sounds too good to be true, but… it is. I was doing some research on Public Certificate issuer (after all, I am running all this from home and am on budget as well) and found startcom.org. They offer all Validation Levels certificates and the lowest, Class 1, is free – a perfect scenario to test your Exchange and (hopefully) OCS public connectivity environment. Here is the comparison chart for their services:





I found that the free edition does not support SAN and so, you might need another cert. for autodiscover.your_domain but… not a big deal. Class 2 and above will do it and can’t beat their prices… I will seriously reconsider changing over when our production cert. expires.

Here are the steps to provision your Exchange Server with startcom.org SSL certificate.

***Windows Explorer 7 will NOT work. Save yourself time and frustration, get Firefox to complete this task…

Go to this link: https://www.startssl.com/?app=12

Click on Sign-Up button
Fill in the form…




…and click Continue. An email with validation code will be sent to the email address you’ve used on the form. Enter it and continue. You will be taken to your toolbox.




First thing to do here is to verify your domain – click Check DNS of Domain link. Enter your domain name and TLD, and click Check. Another validation email will follow – you know the drill. Once your domain is verified, it will appear here:




Now it is time to create your Exchange 2010 CSR (Certificate Signing Request). Go to your Exchange server, start EMC and go to Server Configuration. Click New Exchange Certificate on right pane. Give it a name first:




Do not enable Wild Card – we cannot issue it any way.




Because we want (and can only) test some basic functionality, not all options will be used here:




On the next screen you will see some SAN’s but… StartSSL free edition will disregard it any way…




On the next screen you need to enter some info (again – it will be disregarded) and also a location – where the CSR will be saved. In this case – c:\NewReq.req



Click “Next” on the last screen and the request will be processed.



Locate .req file, open it with text editor and copy the text.




The next step will be to submit the CSR to StartSSL for digital signing. Go back to your StarSSl’s Control Panel, click “Certificate Wizard” and select “Web Server SSL…” from the drop down menu.




Click Continue.




***Make sure you click “Skip” button (since we generated the key on our exchange server).

On the next screen paste the text we copied from the .req file.




…and click Continue. Once the certificate is signed, you will receive an email with instructions now to retrieve it.
Go to the Toolbox, Click “Retrieve Certificate” link, select your certificate from the drop down menu and click Continue.



Copy the text in the box – this is your certificate.



Go to your Exchange server, create new text file name it MyCert or so, paste the text and save it. ***NOTE. Change the file extension to .cer to avoid confusion later.

Before we proceed with the Certificate import, there is one more step – we must import the StartSSL Root CA to our Exchange server. Go to your StarCom’s Toolbox and click StartCom CA Certificates link. You will be presented with this screen:




You need to save “Server Certificate Bundle with CRLs (PEM encoded)” to a location accessible from your exchange server. Go back to your exchange server, locate the file “ca-bundle.cer” if you used the default name, right click over it and select Install Certificate. Accept the default settings.

Once the Root CA is installed, we can now complete the Certificate Request. On EMC, highlight the Request you created earlier (this where the Friendly name comes handy), and click Complete Pending Request on the right pane.




Complete the steps in the wizard (you will have to select the .cer file you created earlier), assign the services associated with this certificate and… I restarted the server just in case…
It worked:

12 comments:

Chris said...

I just got off the phone with their tech support.

They said the free certificate does NOT work with Exchange 2010...

Per said...

Works fine for me :) Thanks for the guide!

Anonymous said...

Any idea on how to get this to work with dynamic DNS?

Odarchuk said...

What about SAN ? or one domain_name iin cert is correct for Exchange 2010?

Tanguy said...

Hi thank you for the howto... works perfectly with rpc/http but i have certificatz error on local outlook. It saus that the name of the certificate doesnt match with my local server name...

Miguel Paquete said...

Tangui, you can create a new forward lookup zone on your internal dns that matches your domain's external name. Create than a A record with the internal ip of your server, something like "exchange.domain.com". Configure outlook to point to this address instead of you currently have.
Regards,
Miguel

Jonathan Shapiro said...

You mention that I can add a second certificate for autodiscover.domain.com. Can you explain how this is done?

Drago said...

Jonathan,
You have two options:
1. Sign up for Class 2 certificate service. It is very cheap, it is for two years, and comes with unlimited certificates, unlimited SAN, wildcard, you name it.
2. Use Reverse Proxy with multiple listeners, where single certificate is assigned to every listener.

Lars Holgerson said...

Tried to use the Startcom SSL - but it did not work properly.

With their free SSL certificate you will receive nasty error messages (because you cannot add SAN to the free cert). Useless for my setup.

And for a class 2 cert (where you can add additional host names) they wanted a copy of my passport - NO, THANKS.


So I ended up buying a domain validated Comodo UCC - got a good price, it was issued in less than 10 minutes and it definitely works with Exchange 2013 :-)

Comodo SSL (UCC) for Exchange Server

Jeff Muller said...

It should also be outpointed that the free class 1 certificate from StartCom MUST NOT be used for any commercial purpose...

@Lars:
Thanks for the referral - bought a PositiveSSL Multi-Domain Certificate from SSLPOINT - hassle free order process, excellent support. Highly recommendable !

Microsoft Server 2013 said...

Good article, thanks for sharing the great stuff about microsoft.

Anonymous said...

hi no work more you can make a new post ?

gracias