Wednesday, December 30, 2009

Free SSL Certificate for your Exchange 2010 server

Sounds too good to be true, but… it is. I was doing some research on Public Certificate issuer (after all, I am running all this from home and am on budget as well) and found They offer all Validation Levels certificates and the lowest, Class 1, is free – a perfect scenario to test your Exchange and (hopefully) OCS public connectivity environment. Here is the comparison chart for their services:

I found that the free edition does not support SAN and so, you might need another cert. for autodiscover.your_domain but… not a big deal. Class 2 and above will do it and can’t beat their prices… I will seriously reconsider changing over when our production cert. expires.

Here are the steps to provision your Exchange Server with SSL certificate.

***Windows Explorer 7 will NOT work. Save yourself time and frustration, get Firefox to complete this task…

Go to this link:

Click on Sign-Up button
Fill in the form…

…and click Continue. An email with validation code will be sent to the email address you’ve used on the form. Enter it and continue. You will be taken to your toolbox.

First thing to do here is to verify your domain – click Check DNS of Domain link. Enter your domain name and TLD, and click Check. Another validation email will follow – you know the drill. Once your domain is verified, it will appear here:

Now it is time to create your Exchange 2010 CSR (Certificate Signing Request). Go to your Exchange server, start EMC and go to Server Configuration. Click New Exchange Certificate on right pane. Give it a name first:

Do not enable Wild Card – we cannot issue it any way.

Because we want (and can only) test some basic functionality, not all options will be used here:

On the next screen you will see some SAN’s but… StartSSL free edition will disregard it any way…

On the next screen you need to enter some info (again – it will be disregarded) and also a location – where the CSR will be saved. In this case – c:\NewReq.req

Click “Next” on the last screen and the request will be processed.

Locate .req file, open it with text editor and copy the text.

The next step will be to submit the CSR to StartSSL for digital signing. Go back to your StarSSl’s Control Panel, click “Certificate Wizard” and select “Web Server SSL…” from the drop down menu.

Click Continue.

***Make sure you click “Skip” button (since we generated the key on our exchange server).

On the next screen paste the text we copied from the .req file.

…and click Continue. Once the certificate is signed, you will receive an email with instructions now to retrieve it.
Go to the Toolbox, Click “Retrieve Certificate” link, select your certificate from the drop down menu and click Continue.

Copy the text in the box – this is your certificate.

Go to your Exchange server, create new text file name it MyCert or so, paste the text and save it. ***NOTE. Change the file extension to .cer to avoid confusion later.

Before we proceed with the Certificate import, there is one more step – we must import the StartSSL Root CA to our Exchange server. Go to your StarCom’s Toolbox and click StartCom CA Certificates link. You will be presented with this screen:

You need to save “Server Certificate Bundle with CRLs (PEM encoded)” to a location accessible from your exchange server. Go back to your exchange server, locate the file “ca-bundle.cer” if you used the default name, right click over it and select Install Certificate. Accept the default settings.

Once the Root CA is installed, we can now complete the Certificate Request. On EMC, highlight the Request you created earlier (this where the Friendly name comes handy), and click Complete Pending Request on the right pane.

Complete the steps in the wizard (you will have to select the .cer file you created earlier), assign the services associated with this certificate and… I restarted the server just in case…
It worked: