See also: Windows SSL Certificates

Let's Encrypt: https://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server

For Exchange, you will need a SAN/UC certificate supporting multiple host names.

MS Exchange Certs: http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28329448.html

https://www.securepaynet.net/ssl/ssl-certificates.aspx?ci=48761&prog_id=wittyweb&pl_id=418873&isc=ssl-01

• You need a SAN certificate
  • QuickSSL Premium
• mail.yourdomain.com
  • autodiscover.yourdomain.com
  • yourdomain.com

This mitigates the Poodle vulnerability on all Windows services.

Disable SSL 3.0 in Windows by modifying the Windows Registry using regedit:

HKLM → System → CurrentControlSet → Control → SecurityProviders → SCHANNEL → Protocols → SSL 3.0 → Server

• Enabled = 0

If the complete registry key path does not exist, you can create it.

Restart the machine for the setting to take effect.

SBS has some nice tools for SSL certificates.

http://technet.microsoft.com/en-us/library/cc527486%28v=ws.10%29.aspx

http://social.technet.microsoft.com/Forums/exchange/en-US/6d000de1-4549-4135-946a-4c5abeac4859/outlook-2010-certificate-alert-when-connecting-to-exchange-2010-server?forum=exchange2010

http://support.microsoft.com/kb/940726

http://social.technet.microsoft.com/Forums/exchange/en-US/48980a0f-5732-40e1-9dc2-e61a5fd550b9/redirect-default-website-of-exchange-2010-to-owa-login-page?forum=exchange2010

https://technet.microsoft.com/en-us/library/aa998359%28v=exchg.150%29.aspx

This will redirect requests to OWA via SSL:

1. In IIS under Default Web Site open up the HTTP Redirect
2. Select Redirect requests to this destination: and type the following URL: https://webmail.mydomain.com/owa.
3. Select Only redirect requests to content in this directory (not subdirectories)
4. Leave the Status code as Found (302)
5. Click on Apply

Once the above steps are completed, go through the following virtual directories.

In the HTTP Redirect section, remove the following check mark Redirect requests to this destination and Apply the changes.

• aspnet_client
• Autodiscover
• ecp
• EWS
• Microsoft-Server-ActiveSync
• OAB
• Powershell
• Rpc

Please Note: The Exchange, Exchweb, and Public virtual directories should redirect to /owa.

Finally, restart IIS with iisreset command and test the various URLs.

Needs verification! Not valid for Exchange 2013.

See also CloudPanel Exchange Hosting Panel

Change the mail.yourdomain.com part to match the name in your SSL certificate.

Depending on the names you currently have included in your SSL certificate, you can run the following commands in the Exchange Management Shell to point the internal URL that Exchange uses to the Public Name configured in your SSL certificate:

Set-AutodiscoverVirtualDirectory -Identity * –internalurl "https://mail.yourdomain.com/autodiscover/autodiscover.xml"

Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri "https://mail.yourdomain.com/autodiscover/autodiscover.xml"

Set-webservicesvirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/EWS/Exchange.asmx"

Set-oabvirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/oab"

Set-owavirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/owa"

Set-ecpvirtualdirectory –Identity * –internalurl "https://mail.yourdomain.com/ecp"

Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.yourdomain.com/Microsoft-Server-ActiveSync"

Once the commands above have been done:

Restart IIS:

iisreset

If you can't restart IIS:

1. Open IIS Manager.
2. Expand the local computer, and then expand Application Pools.
3. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

https://testconnectivity.microsoft.com/

Use a strong password:

cd $env:ExchangeInstallPath\Scripts
get-mailboxServer | .\new-testcasconnectivityuser.ps1

Get-ExchangeCertificate | FL

Test-WebServicesConnectivity | fl

Test-OutlookConnectivity -Protocol HTTP

Enable-OutlookAnywhere -Server "Exchange" -ExternalHostname "mail.icahealth.com" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False

Test-OutlookWebServices -ClientAccessServer "Exchange"

http://blog.jamzarwebdesign.com.au/?p=245

http://www.windowsinfo.eu/?p=236

1. Copy 3 cert files to server, certname.crt, certname.key, certnam_ca.crt
2. Open https://www.sslshopper.com/ssl-converter.html
3. Choose Type to Convert To: PFX/PKCS#12
4. Certificate File to convert: certname.crt
5. Private Key file: certname.key
6. Chain Certificate file: certname_ca.crt
7. Click Convert Certificate and download

1. In Exchange Management Shell

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "E:\Cert_Location\your_cert_name.pfx" -Encoding byte -ReadCount 0))

1. Check Cert

Get-ExchangeCertificate | fl

Get-ExchangeCertificate

Set-ImapSettings -X509CertificateName yourarecord.yourdomain.com

Set-PopSettings -X509CertificateName yourarecord.yourdomain.com

Get-PopSettings

Get-ImapSettings

1. Restart-Service MSExchangePOP3
2. Restart-Service MSExchangeImap4

Do not delete the last self-signed cert.

Delete all unused commercial certs to avoid confusion as to which cert is being applied where.

List all certs and their details:

get-exchangecertificate | fl cert*,services,thumb*,subject