The Rants of a Techie

One of the confusions when migrating from a Windows 2003 SBS Server to a Windows 2008 Server is the change in SSL certificate. They have moved from a single name SSL to the UC/SAN (Unified Communications/Subject Alternate Name) certificate. Your nice cheap SSL certificate will no longer work and you will need to purchase the more expensive and confusing UC/SAN Certificate.

It’s not that complex really all the UC/SAN Certificate does is contain alternate host names within it. It differs from a wildcard SSL as they just covered a whole domain, i.e *.upuaut.net. UC/SAN cover multiple domains.

Ok so SBS 2008. It needs a UC/SAN with the following information in it (using mydomain.com as an example with the local server called myserver.mydomain.local ) :

remote.mydomain.com (Used for the remote webplace/webmail)
autodiscover.mydomain.com (Used for the excellent autodiscover service )
myserver.mydomain.local (Used internally)
smtp.mydomain.com (Used for SSL encrypted SMTP traffic)
myserver

Making the CSR

So how do we generate the CSR (Certificate Signing Request) for this lot ?

Ok right click the Exchange console and run as administrator. Amend the command below to match and paste it in :

New-ExchangeCertificate -GenerateRequest -Path
c:\remote_mydomain_com.csr -KeySize 2048 -SubjectName "c=GB, s=Region, l=City, o=Mydomain Limited, ou=Information Technology,
cn=remote.mydomain.com" -DomainName
autodiscover.mydomain.com, myserver.mydomain.local,
smtp.mydomain.com, myserver -PrivateKeyExportable $True

Ok once this is done you need to find a nice cheap place for UC/SAN Certificates, you can get them from this site, a Go Daddy reseller in the UK for £37.05 a year.

Place your order and paste in the CSR from c:\remote_mydomain_com.csr (just open it in notepad).

When you paste it in press tab and make sure the subject alternate names all appear correctly.  Once happy let it chew around in the Go Daddy system until they authorise it (the CNAME method is pretty quick!).

In the mean time make sure you set up external DNS A records for remote.mydomain.com, smtp.mydomain.com and autodiscover.mydomain.com.

Installation

When the certificate is delivered copy it to the server.  Open the Exchange Management Shell again as administrator.

Import-ExchangeCertificate -Path C:\mydomain.cer | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"

There you go all done. Clients can now just open Outlook 2007 anywhere and enjoy the encrypted connection just by typing in their mail address and password!