How to create a certificate request for an Exchange 2007 UCC

[Dos_Box]

This will be of some use to those of you thinking of moving to Exchange 2007 in the near future and allowing external access to Outlook Web Access and other features.
Because Exchange 2007 relies of a different certificate type, the Unified Communications Certificate, which has 'alternative' credentials i.e. the certificate contains multiple host names.

As you will have to order your certificate online you will first need to generate the certificate request, and Microsoft wanting to make things easy insist that you have to use the Exchange Management Shell to generate it. You should use the following command (ensuring you are logged on as an Exchange administrator):

New-ExchangeCertificate -GenerateRequest -SubjectName "C=GB, O=servername, CN=exchange.yourdomain.ac.uk" -Path c:\certreq.req

This should generate the text you need to paste into the online order form.
The forms should also ask you for the alternative names you will need. These should reflect the server name, domain name, external FQDN name and the new 'autodiscover' url as shown below:

yourdomain.ac.uk
servername.yourdomain.ac.uk
servername
autodiscover.yourdomain.ac.uk
webalias.yourdomain.ac.uk (in case you use a reverse proxy or different external name for your server)

These reflect the services and roles both internal and external that Exchange 2007 uses SSL for.
I just thought you should be aware of all of this before you begin to migrate.

[buzzard]

sound like you had fun over half term

[Dos_Box]

It was hell. There is a LOT that you need to do before Exchange 2007 wants to play correctly, and most of it seems to be undocumented.
Microsoft, as usual were excellent with their professional support, but the big one is that people need to be aware they need the correct certificate (the UCC cert) or else it simply won't bother to do everything you need it to.

[Friez]

It was hell. There is a LOT that you need to do before Exchange 2007 wants to play correctly, and most of it seems to be undocumented.
Microsoft, as usual were excellent with their professional support, but the big one is that people need to be aware they need the correct certificate (the UCC cert) or else it simply won't bother to do everything you need it to.

Quoted for truth, Exchange 2007 is a nightmarish setup, especially with regards to certificates, let alone the fact that you MUST run it on 64bit machines, and all the other fiddly pre-requisites required.

[Ben_Stanton]

Despite all of the above, I LOOOOVE it!

But then I didn't really migrate from an existing email server. I literally left the old 'mailgate/eudora' shite running as a legacy server. Simply telling everybody it will be there for a year for archival purposes and that is it. As of whateber date, outlook and exchange is what we will be using.

Was accepted surprisingly well

[FragglePete]

Sorry to drag up an old thread.

Just installed Exchange 2007 at the moment, and now just getting the external OWA access working so sorting out certificates and stuff.

Useful info from Dos_box regarding requesting the certificate, which is detailed quite nicely here:

https://support.comodo.com/index.php...articleid=1143

However, can someone clear something up for me. Is this just what I need, or do I need an additional certificate for the IIS Side of things? Or will a UCC Certificate look after all of it for me? Reading all the books that I have go on about installing a SSL Certificate within the IIS Manager, and don't really mention the procedure that is detailed above.

Thanks in advance.

Pete

[Dos_Box]

A universal communications certificate is an SSL cert that allows you to have multiple entries for all names (internal and external) that you connect to your exchange server with. You simply install the certificate at the root of your exchange servers IIS and it will cover everything. If you are using Server 2008 and IIS look for the 'Bindings' option on the R\H\S of the IIS layout. You use this to change the SSL certificate being used.

[FragglePete]

Thanks, found this quite useful as well......

https://www.digicert.com/easy-csr/exchange2007.htm

Creates your CSR Command for you.

Pete

[rusty155]

Great info here - just out of interest for those of you that have them, where did you get your UCC from and roughly how much did you pay (if you don't mind sharing!).

Thanks.

[rusty155]

Anyone?!

[pooley]

Got our with "Go Daddy" https://www.godaddy.com/gdshop/ssl/ssl.asp for around £180 for 3 years

[FragglePete]

Got ours from SSL Certificates SSL Wildcard SSL Free Certificates SSL Server Certificate 256 bits which is free for education domains.

Not entirely convinced it's a proper UCC certificate, but I generated the request as detailed above and have managed to get it working with our Exchange 2007 box (eventually). OWA is secured quite nicely with 2048bit encryption

Pete