Install CA for Exchange 2003
The first thing to do is to decide which server should hold the Certicate Authority (CA) role, it could be any server as long as it’s at least a member server. If you have a single box setup, such as a Small Business Server (SBS), the decision shouldn’t be very hard.
In order to add the Certificate Service Web Enrollment component (subcomponent to CA), which we’re going to use in this article, the server needs to be running IIS, so if you haven’t already done so, install IIS before continuing with this article. If you plan on installing the CA component on the Exchange server itself, then there’s nothing to worry about, because as you know, Exchange 2003 relies heavily on IIS, which means It’s already installed.
To install the CA component, do the following:
- Click Start > Control Panel > Add or Remove Programs
- Select Add/Remove Windows Components
- Put a checkmark in Certificate Services
Below screen will popup as a warning, just click Yes > then Next
We now have to select what type of CA to use, choose Enterprise root CA and click Next
In the following screen we have to fill out the Common name for our CA, which in this article is mail.testdomain.com.
Leave the other fields untouched and click Next >
We now have the option of specifying an alternate location for the certificate database, database log, andconfiguration information. In this article we will use the defaults, which in most cases should be just fine.
Now click Next >
The Certificate Service component will be installed, when it’s completed, click Finish
Creating the Certificate Request
Now that we have installed the Certificate Services component, it’s time to create the Certificate Request for ourDefault Website. We should therefore do the following:
- Click Start > Administrative Tools > Internet Information Services (IIS) Manager
- Expand Websites > Right-click Default Website then select Properties
- Now hit the Directory Security tab
- Under Secure Communications click Server Certificate…
As we’re going to create a new certificate, leave the first option selected and click Next >
Because we’re using our own CA, select Prepare the request now, but send it later, then click Next >
Type a descriptive name for the Certificate and click Next >
We now need to enter our organization name and the organizational unit (which should be pretty self-explanatory), then click Next >
In the next screen we need to pay extra attention, as the common name reflects the external FQDN (Fully Qualified Domain Name), to spell it out, this is the address external users have to type in their browsers in order to access OWA from the Internet.
Note: As many (especially small to midsized) companies don’t publish their Exchange servers directly to the Internet, but instead runs the Exchange server on a private IP address, they let their ISP’s handle their external DNS settings. In most cases the ISP creates a so called A record named mail.domain.com pointing to the company’s public IP address, which then forwards the appropriate port (443) to the Exchange servers internal IP address.
When your have entered a Common Name click Next >
Now it’s time to specify the Country/Region, State/Province and City/locality, this shouldn’t need any further explanation, when you have filled out each field, click Next >
In the below screen we have to enter the name of the certificate request we’re creating, the default is just fine, clickNext >
In this screen we can see all the information we filled in during the previous IIS Certificate Wizard screens, if you should have made a mistake, this is your last chance to correct it. If everything looks fine click Next >
And finally we can click Finish