====== Exchange Server SSL Certificates ====== See also: **http://www.mustbegeek.com/configure-url-redirection-in-exchange-2013/** See also: **[[internet:security:ssl_cert_windows|Windows SSL Certificates]]** **Let's Encrypt**: https://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server :!: For **Exchange**, you will need a **SAN/UC certificate** supporting multiple host names. **MS Exchange Certs**: http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/ http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28329448.html https://www.securepaynet.net/ssl/ssl-certificates.aspx?ci=48761&prog_id=wittyweb&pl_id=418873&isc=ssl-01 * You need a SAN certificate * QuickSSL Premium * mail.yourdomain.com * autodiscover.yourdomain.com * yourdomain.com ===== Disable SSLv3 ===== :!: This mitigates the **Poodle vulnerability** on all Windows services. Disable SSL 3.0 in Windows by modifying the Windows Registry using ''regedit'': **HKLM -> System -> CurrentControlSet -> Control -> SecurityProviders -> SCHANNEL -> Protocols -> SSL 3.0 -> Server** * ''Enabled'' = ''0'' :!: If the complete registry key path does not exist, you can create it. :!: Restart the machine for the setting to take effect. ===== Small Business Server (SBS) ===== SBS has some nice tools for SSL certificates. http://technet.microsoft.com/en-us/library/cc527486%28v=ws.10%29.aspx ===== Domain-Joined Outlook Security Warnings ===== http://social.technet.microsoft.com/Forums/exchange/en-US/6d000de1-4549-4135-946a-4c5abeac4859/outlook-2010-certificate-alert-when-connecting-to-exchange-2010-server?forum=exchange2010 http://support.microsoft.com/kb/940726 ===== Force SSL and Change OWA URL ===== http://social.technet.microsoft.com/Forums/exchange/en-US/48980a0f-5732-40e1-9dc2-e61a5fd550b9/redirect-default-website-of-exchange-2010-to-owa-login-page?forum=exchange2010 https://technet.microsoft.com/en-us/library/aa998359%28v=exchg.150%29.aspx This will redirect requests to OWA via SSL: - In **IIS** under **Default Web Site** open up the ''HTTP Redirect'' - Select ''Redirect requests to this destination'': and type the following URL: ''https://webmail.mydomain.com/owa''. - Select ''Only redirect requests to content in this directory (not subdirectories)'' - Leave the **Status code** as ''Found (302)'' - Click on ''Apply'' Once the above steps are completed, go through the following virtual directories. In the HTTP Redirect section, remove the following check mark ''Redirect requests to this destination'' and Apply the changes. * aspnet_client * Autodiscover * ecp * EWS * Microsoft-Server-ActiveSync * OAB * Powershell * Rpc Please Note: The Exchange, Exchweb, and Public virtual directories should redirect to /owa. :!: Finally, restart IIS with ''iisreset'' command and test the various URLs. ===== Change the Exchange Services URLs ===== FIXME Needs verification! Not valid for Exchange 2013. :!: Change the ''mail.yourdomain.com'' part to match the name in your SSL certificate. Depending on the names you currently have included in your SSL certificate, you can run the following commands in the Exchange Management Shell to point the internal URL that Exchange uses to the Public Name configured in your SSL certificate: Set-AutodiscoverVirtualDirectory -Identity * –internalurl "https://mail.yourdomain.com/autodiscover/autodiscover.xml" Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri "https://mail.yourdomain.com/autodiscover/autodiscover.xml" Set-webservicesvirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/EWS/Exchange.asmx" Set-oabvirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/oab" Set-owavirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/owa" Set-ecpvirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/ecp" Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.yourdomain.com/Microsoft-Server-ActiveSync" :!: Once the commands above have been done: Restart IIS: iisreset If you can't restart IIS: - Open IIS Manager. - Expand the local computer, and then expand Application Pools. - Right-click ''MSExchangeAutodiscoverAppPool'', and then click Recycle. ===== Testing ===== https://testconnectivity.microsoft.com/ ==== Create a Test User ==== Use a strong password: cd $env:ExchangeInstallPath\Scripts get-mailboxServer | .\new-testcasconnectivityuser.ps1 ==== PowerShell ==== Get-ExchangeCertificate | fl Test-WebServicesConnectivity | fl Test-OutlookConnectivity -Protocol HTTP Enable-OutlookAnywhere -Server "Exchange" -ExternalHostname "mail.icahealth.com" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False Test-OutlookWebServices -ClientAccessServer "Exchange" ===== Wildcard Certs ===== http://blog.jamzarwebdesign.com.au/?p=245 http://www.windowsinfo.eu/?p=236 ==== Install .crt WC Cert from Comodo ==== === Convert Cert from .crt to .pfx === - Copy 3 cert files to server, ''certname.crt'', ''certname.key'', ''certnam_ca.crt'' - Open https://www.sslshopper.com/ssl-converter.html - Choose ''Type to Convert To: PFX/PKCS#12'' - ''Certificate File to convert: certname.crt'' - ''Private Key file: certname.key'' - ''Chain Certificate file: certname_ca.crt'' - Click ''Convert Certificate'' and download ==== Install on Exchange 2013 ==== === In Exchange Management Shell === Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "E:\Cert_Location\your_cert_name.pfx" -Encoding byte -ReadCount 0)) === Check Cert === Get-ExchangeCertificate | fl ==== Set FQDN for POP and IMAP ==== Get-ExchangeCertificate Set-ImapSettings -X509CertificateName yourarecord.yourdomain.com Set-PopSettings -X509CertificateName yourarecord.yourdomain.com Get-PopSettings Get-ImapSettings ==== Restart POP and IMAP ==== - ''Restart-Service MSExchangePOP3'' - ''Restart-Service MSExchangeImap4'' ==== Receive Connector ==== https://blog.cpolydorou.net/2018/03/configuring-certificate-on-exchange.html Get-ReceiveConnector Get-ReceiveConnector "VA-EXCH-01\Default Frontend VA-EXCH-01" | fl Set the correct SSL certificate used by the Default Frontend (SMTP on port 25) connector: Get-ExchangeCertificate $cert = Get-ExchangeCertificate -Thumbprint "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" $cert | fl Thumbprint,Issuer,Subject $tls = "$($cert.Issuer)$($cert.Subject)" Set-ReceiveConnector "VA-EXCH-01\Default Frontend VA-EXCH-01" -TlsCertificateName $tls Get-ReceiveConnector "VA-EXCH-01\Default Frontend VA-EXCH-01" | fl Test from a Linux host: openssl s_client -connect exchange.yourdomain.tld:25 -starttls smtp < /dev/null ===== Microsoft Exchange Server Auth Certificate ===== Read this entire page first: https://byronwright.blogspot.com/2018/05/expired-microsoft-exchange-server-auth.html ==== Exchange Admin Center ==== Renew the expired/expiring certificate in EAC: **EAC -> Servers -> Certificates** :!: You will need to **copy the thumbprint of the new MESAC** to be used in the following EMS commands. ==== Exchange Management Shell ==== :!: Substitute your new thumbprint. Get-AuthConfig $thumb = "1DB0B9BC4195B1F5EDFC4CDED5106B9F4069FFF1" $date = get-date Set-AuthConfig -NewCertificateThumbprint $thumb -NewCertificateEffectiveDate $date Set-AuthConfig -PublishCertificate Set-AuthConfig -ClearPreviousCertificate iisreset :!: If it is still not working properly, you might try rebooting the server. ===== Troubleshooting ===== Do **not** delete the last self-signed cert. Delete all unused **commercial** certs to avoid confusion as to which cert is being applied where. List all certs and their details: get-exchangecertificate | fl cert*,services,thumb*,subject Import-ExchangeCertificate -Server $ServerName -FileName $CertificateImport Enable-ExchangeCertificate -Thumbprint $certPrint.Thumbprint -Services POP,IMAP,IIS,SMTP -Confirm Enable-ExchangeCertificate -Server '' -Services 'IMAP, POP, IIS, SMTP' -Thumbprint ''