Importing a SSL certificate into MS Exchange 2007 / IIS 7

This is made hugely complicated and twisted.

First off, there are two ways to obtain a signed SSL certificate. One is like StartSSL do it – you verfify your domain ownership by following a link sent in a mail to e.g. hostmaster@domain and then you get both your certificate (a signed public key) or you send a CSR key and then you obtain your signed certificate. The latter one seems to be the more common.

The problem with Windows/Exchange/IIS here seems to be that it does all it can to hide you private key from you. The only way to obtain it is with a .pfx file (personal information exchange).

Here are the steps to obtain a signed certicate using a CSR with Windows Server 2008 and Exchange 2008.

  1. DigiCert have a handy tool to simplyfy this process: https://www.digicert.com/easy-csr/exchange2007.htm
  2. Open “Exchange management shell” and paste the command the DigiCert tool gave you. This will place a .csr file in the root of your C: drive.
  3. Get yourself a certificate.
  4. Now we need to import the certificate (the signed public key) into the depths of Windows. Open up the “Exchange management shell” again and write:
    Import-ExchangeCertificate -Path C:\path-to-certificate.cer
  5. Enable-ExchangeCertificate -Thumbprint <thumbprint> -Services IIS
    Now should Windows/IIS/Exchange be aware of the certificate (the public key should now be signed). This means that you can now use it for you OWA. If you are getting errors about a missing private key, read below.
  6. Open “IIS Manager” and select your server, then open “Server Certificates”. Now you should see your new certificate there. If you want to export it, you can export it here as a .pfx file.
  7. In order to make OWA use your new certificate go to:
    Sites -> Default Web Site -> Click “Bindings” in the “Actions” tab on the right.
  8. Choose HTTPS and click on Edit.
  9. Choose the certificate. Exchange as probably labelled it “Microsoft Exchange” for you. Click on “View certificate” too check. Use the thumbprint to verify it. Click OK.
  10. Restart IIS: cmd -> IISReset
  11. All done!

If you are getting errors about “missing private key”:

  1. Open MMC and add a “Certificates” snap-in.
  2. Choose “computer account”
  3. If you don’t see your certificate there (mine did since i managed to use Import-ExchangeCertificate) you might have to import it: Right click on Personal and choose All tasks -> Import.
  4. Certificate Store: Personal
  5. Double-click on the cert and go to the “Details” tab. Find “Serial Number” and jot it down.
  6. Start -> Run -> cmd
  7. certutil -repairstore my <insert Serial Number here>

Also, If you have come to hate Windows/IIS/Exchange – fear not, you are not alone!

Any hints on where the actual private key resides are welcome.

Post a comment | Trackback URI

Comment (1)

  1. Agnar Guðmundsson wrote::

    This helped me a lot, thanks! working now for postur.mss.is

    Friday, September 18, 2009 at 17:31 #