In order to use outlook anywhere from outside, your certificate should contact the Root certificate Authority (Root CA) and you should not get any Pop Up warnings for the certificate, if you recieve this warning, then Outlook Anywhere will not work, even if you have all the correct configuration from internal. Your cerficiate should be working without any warnings or problems, and it should be trusted, if you are using Microsoft CA Server located inside, then you need to export the Root CA from that internal server and install it on the client that is trying to connect from outside. If you are using a third party certificate, then you have to install its Root CA internally on your exchange servers, and make sure that the root certificate of that third party CA is available under the certificate store of the client and under trusted certificates as well.
Important: Outlook Anywhere requires a valid certificate issued by a trusted Certification Authority.
This article will concentrate to help you setup your own Certification Authority, and issue a UC certificate for Exchange 2007.
1. Install the root certification authority role
Go to ‘Server Manager’ –> ‘Add Roles’ wizard –> Choose ‘Active Directory Certificate Services’ –> Next –> Choose ‘Certification Authority’ only (don’t need the other role services) –> Enterprise –> Next –> Root CA –> Next –> Create a new private key –> Keep all defaults here (2048 length / RSA Sha1 key) –> Keep Common Name as default –> Next –> Valid for 5 years should be fine as this is just for testing, change if you wish –> Next, Finish
2. Create the UC \ SAN certificate request
I would highly recommend navigating to the Digicert website and making use of their ‘free to use’ tool for creating a Exchange 2007 UCC cmdlet. (at time of writing this could be found at https://www.digicert.com/easy-csr/exchange2007.htm)
All in all you will need to include the ‘fully qualified domain name’ as specified for external access. The server NetBIOS name and distinguished name for internal access PLUS the autodiscover reference
mail.domain.com
autodiscover.domain.com
server.domain.local
server
New-ExchangeCertificate -GenerateRequest -Path c:\domain.csr -KeySize 2048 -SubjectName “c=GB, s=TheState, l=TheCity, o=TheOrgName, ou=TheDeptName, cn=mail.domain.com” -DomainName mail.domain.com, server.domain.local, server, autodiscover.domain.com -PrivateKeyExportable $True
3. Import the request file and generate us a certificate
certreq.exe -submit -attrib “CertificateTemplate:WebServer” c:\domain.csr.
This will generate a .cer file for us to import into Exchange.
4. Process the certificate request file
Using the generated .cer, go into Certificate Authority MMC (Start –>
Search –> type ‘Certification Authority’) –> Go to issued –>
Go to certificate -> Open –> Details –> Copy to file –>
Cryptographic message syntax standard -PKCS #7 Include all certificates
in the path –> Export –> Export as C:\domain.p7b.
5. Importing the certificate and attaching the relevant services
Import-ExchangeCertificate -Path C:\domain.p7b
Enable-ExchangeCertificate -Thumbprint <your thumbprint> -services IIS, POP, IMAP, SMTP
6. Importing the ‘certificate authority’ to client devices
On the server –> Go to IE –> Internet Options –> Content –> Certificates –> Go to Trusted Root Certificate Authority –> Export –> Cryptograpyhic Message Syntax Standard (.P7B) + Include all certificates in the path –> Export.
Then on the computers you need to TRUST the ‘certificate authority’ certificate, simply IMPORT this certificate into Trusted Root Certification
Authority using Internet Explorer Import command (make sure it is imported into Trusted Root Certification Authority when prompted by Import routine).
