Wednesday, December 30, 2009

Free SSL Certificate for your Exchange 2010 server

Sounds too good to be true, but… it is. I was doing some research on Public Certificate issuer (after all, I am running all this from home and am on budget as well) and found startcom.org. They offer all Validation Levels certificates and the lowest, Class 1, is free – a perfect scenario to test your Exchange and (hopefully) OCS public connectivity environment. Here is the comparison chart for their services:





I found that the free edition does not support SAN and so, you might need another cert. for autodiscover.your_domain but… not a big deal. Class 2 and above will do it and can’t beat their prices… I will seriously reconsider changing over when our production cert. expires.

Here are the steps to provision your Exchange Server with startcom.org SSL certificate.

***Windows Explorer 7 will NOT work. Save yourself time and frustration, get Firefox to complete this task…

Go to this link: https://www.startssl.com/?app=12

Click on Sign-Up button
Fill in the form…




…and click Continue. An email with validation code will be sent to the email address you’ve used on the form. Enter it and continue. You will be taken to your toolbox.




First thing to do here is to verify your domain – click Check DNS of Domain link. Enter your domain name and TLD, and click Check. Another validation email will follow – you know the drill. Once your domain is verified, it will appear here:




Now it is time to create your Exchange 2010 CSR (Certificate Signing Request). Go to your Exchange server, start EMC and go to Server Configuration. Click New Exchange Certificate on right pane. Give it a name first:




Do not enable Wild Card – we cannot issue it any way.




Because we want (and can only) test some basic functionality, not all options will be used here:




On the next screen you will see some SAN’s but… StartSSL free edition will disregard it any way…




On the next screen you need to enter some info (again – it will be disregarded) and also a location – where the CSR will be saved. In this case – c:\NewReq.req



Click “Next” on the last screen and the request will be processed.



Locate .req file, open it with text editor and copy the text.




The next step will be to submit the CSR to StartSSL for digital signing. Go back to your StarSSl’s Control Panel, click “Certificate Wizard” and select “Web Server SSL…” from the drop down menu.




Click Continue.




***Make sure you click “Skip” button (since we generated the key on our exchange server).

On the next screen paste the text we copied from the .req file.




…and click Continue. Once the certificate is signed, you will receive an email with instructions now to retrieve it.
Go to the Toolbox, Click “Retrieve Certificate” link, select your certificate from the drop down menu and click Continue.



Copy the text in the box – this is your certificate.



Go to your Exchange server, create new text file name it MyCert or so, paste the text and save it. ***NOTE. Change the file extension to .cer to avoid confusion later.

Before we proceed with the Certificate import, there is one more step – we must import the StartSSL Root CA to our Exchange server. Go to your StarCom’s Toolbox and click StartCom CA Certificates link. You will be presented with this screen:




You need to save “Server Certificate Bundle with CRLs (PEM encoded)” to a location accessible from your exchange server. Go back to your exchange server, locate the file “ca-bundle.cer” if you used the default name, right click over it and select Install Certificate. Accept the default settings.

Once the Root CA is installed, we can now complete the Certificate Request. On EMC, highlight the Request you created earlier (this where the Friendly name comes handy), and click Complete Pending Request on the right pane.




Complete the steps in the wizard (you will have to select the .cer file you created earlier), assign the services associated with this certificate and… I restarted the server just in case…
It worked:

35 comments:

Chris said...

I just got off the phone with their tech support.

They said the free certificate does NOT work with Exchange 2010...

Per said...

Works fine for me :) Thanks for the guide!

Anonymous said...

Any idea on how to get this to work with dynamic DNS?

Odarchuk said...

What about SAN ? or one domain_name iin cert is correct for Exchange 2010?

Tanguy said...

Hi thank you for the howto... works perfectly with rpc/http but i have certificatz error on local outlook. It saus that the name of the certificate doesnt match with my local server name...

Miguel Paquete said...

Tangui, you can create a new forward lookup zone on your internal dns that matches your domain's external name. Create than a A record with the internal ip of your server, something like "exchange.domain.com". Configure outlook to point to this address instead of you currently have.
Regards,
Miguel

Jonathan Shapiro said...

You mention that I can add a second certificate for autodiscover.domain.com. Can you explain how this is done?

Drago said...

Jonathan,
You have two options:
1. Sign up for Class 2 certificate service. It is very cheap, it is for two years, and comes with unlimited certificates, unlimited SAN, wildcard, you name it.
2. Use Reverse Proxy with multiple listeners, where single certificate is assigned to every listener.

Lars Holgerson said...

Tried to use the Startcom SSL - but it did not work properly.

With their free SSL certificate you will receive nasty error messages (because you cannot add SAN to the free cert). Useless for my setup.

And for a class 2 cert (where you can add additional host names) they wanted a copy of my passport - NO, THANKS.


So I ended up buying a domain validated Comodo UCC - got a good price, it was issued in less than 10 minutes and it definitely works with Exchange 2013 :-)

Comodo SSL (UCC) for Exchange Server

Jeff Muller said...

It should also be outpointed that the free class 1 certificate from StartCom MUST NOT be used for any commercial purpose...

@Lars:
Thanks for the referral - bought a PositiveSSL Multi-Domain Certificate from SSLPOINT - hassle free order process, excellent support. Highly recommendable !

Microsoft Server 2013 said...

Good article, thanks for sharing the great stuff about microsoft.

Anonymous said...

hi no work more you can make a new post ?

gracias

ABC Mobile Institute of Technology said...

Thanks for sharing this with so much of detailed information, its much more to learn from your article. Keep sharing such good stuff.



Mobile Repairing Institute in Delhi
Mobile Repairing Course in Delhi
Laptop Repairing Course in Delhi
Mobile Repairing Course in Laxmi Nagar
Mobile Repairing Institute in Laxmi Nagar
LED LCD Repairing Course in Delhi

Ajit Kumar said...

Much obliged to you again for all the information you distribute,Good post. I was extremely keen on the article, it's entirely motivating I ought to concede. I like going to you site since I generally go over fascinating articles like this one.
Digital Marketing Institute in Delhi
Digital Marketing Course in Delhi
Digital Marketing Course in Laxmi Nagar
Digital Marketing Institute in Laxmi Nagar

Serverental said...

Great and unique post. Thanks for sharing.
Server for rent at low price

global said...

Excellent post. Thanks for sharing.
2D/3D CAD System Requirements

divya sharma said...

I appreciate this i have got lots of knowledge from this blog thank you keep it up.
mobile repairing course
mobile repairing course in delhi

Payal Rathore said...

Thank you so much for the post. Keep posting such blogs. Thanks a lot.

LED LCD TV Repairing Course in Delhi
LED LCD Smart TV Repairing Course in Delhi
LED Smart TV Repairing Course in Delhi
LED LCD TV Repair Training
LED LCD TV Repair Training in Delhi
LED LCD TV Repairing Course
LED LCD TV Repair Course
LED LCD TV Repair Institute in Delhi
LCD TV Repair Training Institute in Delhi
Mobile Repairing Course in Delhi
Mobile Repairing Institute in Delhi
Mobile Repairing Course in India
Mobile Repairing Course in Laxmi Nagar
Mobile Repairing Institute in Laxmi Nagar
Mobile Repairing Institute in India
LED LCD TV Repairing Course in Laxmi Nagar

Media Publisher said...

Best CBSE school in Lucknow

Sofiya sharma said...

Excellent post. Thank you so much.

Led Lcd Tv Repairing Institute in Delhi
Led Lcd Tv Repairing Course in Delhi
Led Lcd Smart Tv Repairing Course in Delhi
Led Lcd Smart Tv Repairing Institute in Delhi
Led Lcd Tv Repairing Course in Laxmi Nagar
Led Lcd Tv Repairing Institute in Laxmi Nagar
Led Lcd Tv Repairing Institute in India
Led Lcd Tv Repairing Course in India
Mobile Repairing Institute in Delhi
Mobile Repairing course in Delhi

mony kaur said...

Thanks for share with us.

Led Lcd Smart Tv Repairing Course In Delhi
Led Lcd Smart Tv Repairing Institute In Delhi
Led Lcd Tv Repairing Course In Delhi
Led Lcd Tv Repairing Institute In Delhi
Led Lcd Tv Repairing Course In India
Mobile Repairing Course In Delhi
Mobile Repairing Institute In Delhi
Mobile Repairing Course In Laxmi nagar
Mobile Repairing Institute In Laxmi Nagar
Mobile Repairing Course In India

SultanFaris said...

Nice Article Very Helpful ! Thanks for sharing ! Also check
Tutuapp APK

Alisha Khan said...
This comment has been removed by the author.
Alisha Khan said...
This comment has been removed by the author.
Morgan Digital Marketing said...
This comment has been removed by the author.
Junaid Khan said...
This comment has been removed by the author.
ashutosh singh said...
This comment has been removed by the author.
diesal said...


Very Interesting and wonderful information keep sharing this post kindly check
 Animeapp For Android

Juan Yelle said...
This comment has been removed by the author.
khushbu ghati said...

I am reading a blog on this website for the first time and I would like to tell you that the quality of the article is up to the mark it is very well written.
Digital Marketing Company
Digital marketing course in Delhi

support122 said...

Hi,
I read your Blog I'm Very satisfied.
Great piece of content,
First time I Seen the list like this. it's very Helpful for me
Very informative article and clearly presented information, thank you.
Once again Thank you so much for your efforts to post such a brilliant helpful article
Keep Posting...
I'm Waiting for your next article.
Have a Great Day. :)
I Also Have A Blog For You Please Accept it And Sharee With Everyone...
Quicken Support Phone Number
Quicken Customer Support Phone Number/
Quicken Customer Support Number/

jaastark said...

great post. Thanks for sharing this information.Tutuapp APK

Sag Awards 2019 said...

121,544 entertainers are the individuals from Screen Actors Guild send their votes to respect their individual associates at the most esteemed Hollywood occasion. "On-screen characters"
Sag Awards 2019 Live Stream

mohd javed said...

Great blog thanks for sharing with me. If you have faced any issue then click on customer service . They are best. They have experts who are highly qualified and well trained in their field. They observe your problem and give the best solution read more... Quickbooks Helpdesk Number

Junaid Khan said...

I like the helpful info you provide in your Blog really explains everything in detail the Blog is very interesting and effective

Digital Marketing Ideas
Learn about Digital Marketing