Creating A Certificate Server For Use With OWA (Exchange Server)
December 6, 2008
I have installed Outlook Web Access (henceforth known as OWA) for many different organisations. The concept is reasonably simple, and can make a large difference for a company, particularly with a mobile workforce. Staff who wish to work from home, or who are ill on a given day, are generally very grateful to be able to reach their corporate email from home, or even on holidays (not always appreciated as much 
Some pre-requisites for installation:
A working Microsoft 2003 or later server,
Internet Information Services (IIS), if not already installed, do so through Start Menu, Add or Remove Programs, then Add/Remove Windows Components:
Select the check box for IIS, then click ‘Next’ to install. Reboot if requested.
Other prerequisites are a working server, with Internet access and correctly configured DNS, with the full dns name of the server registered within DNS, and propagated to the Internet. You must be able to ping the host from the Internet, or if pings are filtered, to be able to contact the server through any configured ports. Usually, this will be port 443 for HTTPS so you can access the secure email port for exchange.
You will need a permanent IP address for this to work, or have a working setup to map changes to IP to a host name through DYNDNS or similar organization.
Finally, you will need to be able to pass on any ports through your firewall/router infrastructure. In the case of a Cisco setup or an ADSL router, a port forwarding rule will need to be put in place to forward port 443 from the router to your internal server.
Certificate Services Installation
The next step is to install Certificate Services, in which case go through the same process as before, but this time select ‘Certificate Services’
You will get a pop up as follows:
Click ‘Yes’, then ‘Next’ (This basically warns you against changing either the machine name or the domain membership after installing Certificate Services.
You will now be asked what type of Certificate Services server you wish to install, and in our case it will be:
Enterprise Root CA
Click ‘Next’ to continue.
You will now be asked to enter the Common Name for the CA, in which case you will enter the full dns name of the machine you are installing to, for example:
mail.domain.com where <domain> is the name of your own domain.
Do not enter any data into any other fields, but click ‘Next’
You will now be asked to enter paths for logs and associated database paths. I would recommend that you leave these as defaults.
Click ‘Next’
Certificate Services should now go ahead and install with the information you have entered.
Creating A Certificate Request
After the Certificate Server component has installed, you will need to create a Certificate Request. This is so you can forward it to your chosen agency for Certificate signing.
Click on ‘Start’, ‘Administrative Tools’, ‘Internet Information Services (IIS) Manager’, then expand the ‘Websites’ item and right click on ‘Default Website’, then choose ‘Properties’.
Click on the ‘Directory Security’ tab and on ‘Secure Communications’ click on ‘Server Certificate’
We are creating a new certificate, so leave the default selection which is ‘Create a new certificate’, and as we are going to be our own CA, click on ‘Prepare the request now, but send it later’ then click on ‘Next’
Type in a name for the Certificate, use something memorable and that will relate to what you are doing, such as OWA SSL Certificate. Leave the Bit Length as is, and click ‘Next’
You will now need to enter your ‘Organization Name’ and the ‘Organizational Unit’. These should correspond with any current Active Directory setup you have for the sake of keeping things structured, however you can name them as you wish.
Your Organization Name should be whatever your business name is, and the Organizational Unit should be something like your own structural division.
For example: My Corporation, Information Technology.
Click ‘Next’ again.
The next screen is critical to your setup working correctly, so be careful when entering the data!
The ‘Common name’ should be the WORKING DNS name that you have already established through DNS. This will be something like:
mail.domain.com (where <domain> is the name of your company)
For example, if your company is accessed by www.domain.com, use <domain> as your name.
Note: If your DNS is handled by your ISP, which is very common for small organisations, you will need them to set this up for you. Put in a request, explaining what you are doing, and adding all the relevant data you wish to be included, such as the internet name. You will still need to forward any data through your firewall or router to the internal email host. Your ISP will then create an ‘A’ record in DNS which will point to your public IP address. (a public ip address, is the address you receive from your ISP when you connect to them. If you receive a permanent IP address, all this will work fine. If not, you will need to use another organisation such as DYNDNS to permanently map the changes to your IP to a permanent name. I will cover this in a different article.)
You will now need to enter the Country/Region, State/province and City/Locality information. This is as per your own specific geographical region data. Such as:
AU (Australia), Western Australia, Perth
Or whatever is the case for your server.
Click ‘Next’
You will now be asked to save the request into a file. Choose wherever you wish, as long as you remember where you stored it!
Click ‘Next’ again
You will now be able to view all the information as you have entered it, so go through it carefully and click on the ‘Back’ button to correct any mistakes.
If you are satisfied, click ‘Finish’
Ok, we now have a (hopefully) working Certificate Server, and a request pending.
On your Server, open up Internet Explorer, and type in:
http://servername/certsrv
Where <servername> is the name of your server you are working on.
If all is working ok, you should see a screen with a line which says:
Microsoft Certificate Services – <servername>
Click on ‘Request a certificate’
Click ‘Advanced Certificate Request’
Then, select:
‘Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file’
(the second one! I know it is long winded, but it will be fine)
Ok, now you need to open the certificate request you created earlier, so open the text file with the certificate request in ‘Notepad’ or any text editor and copy all the content (CTRL-A will do this for you, after clicking anywhere in the text file. Do not drag to select, as you may miss something)
Paste the clipboard contents into the box provided (Base-64), you should see a long line of alpha characters, with BEGIN NEW CERTIFICATE REQUEST near the top.
Click on ‘Submit’
Then select ‘Base 64 encoded’ and then ‘Download Certificate’
Click ‘Save’
and save the ‘certnew.cer‘ onto your C: drive at the root level (easier to find)
Close off the Internet Explorer window if all has gone ok.
Attaching the Certificate to your Default Website.
Right, we have obtained a working certificate, and we need to attach this to our website.
Click on Start, Administrative Tools, Internet Information Services (IIS) Manager.
Expand the Websites item, and right click on ‘Default Website’, then choose ‘Properties’
Select the ‘Directory Security’ tab item and under ‘Secure Communications’ click on ‘Server Certificate’ then click ‘Next’
You will need to select ‘Process the pending request and install the certificate’, and then click ‘Next’
Choose the path and filename of the file you saved just recently, for example: c:\certnew.txt then click ‘Next’
If you are choosing the default SSL port, you will enter ’443′ in the next box, and click ‘Next’
Again, you will be shown a summary of your actions, so check it all out and be sure it is correct!
If so, click ‘Next’ again and you will be shown a ‘successfully completed’ message.
Click ‘Finish’
To enable this you need to click on the ‘Edit button under ‘Secure Communications’ on the Default Website, and check the box next to ‘Require secure channel (SSL) and require 128 bit encryption, as follows:
Then click ‘OK”
Testing Your SSL Configuration
Now, the final touch. Testing your configuration! Open up Internet Explorer again, and type in the following:
https://servername/exchange
You should then receive a pop up message as follows:
The warning message is fine, and it is because you are accessing the server using its domain name instead of the full DNS domain name.
So click ‘Yes’
If all goes well, you should be in receipt of another box which is asking you to enter your login name and password to access the OWA server!
Use your Administrator login for these purposes, to test that it works.
Congratulations, you are now in possession of a working SSL enabled OWA server to present to management and your users!
