How to Obtain a Web Site Certificate
You can secure communications between an email client and many of the Exchange Server or IIS services using SSL/TLS encryption. Mail-related services that can be secured include:
- IIS SMTP service Exchange SMTP service Exchange NNTP service Exchange POP3 service Exchange IMAP4 service Exchange Outlook Web Access
Secure communications protect both user credentials and data moving through the secure channel. There are two basic requirements that must be met before you can secure data using SSL/TLS encryption between the email client and mail-related service:
- The mail-related service must have a Web site certificate bound to it The mail client must trust the CA (certificate server) that issued the certificate to the mail-related service. You do this by placing the Root CA cert for your organization into the Trusted Root Certification Authorities node on the email client.
You can obtain a Web site certificate using one of two methods:
· Make a request to an online Certificate Authority (CA)
You can make an online request to an enterprise CA if the site is a member of the same domain as the CA. The Certificate Request Wizard will automatically send the request to the online enterprise CA and the enterprise CA will immediately issue the certificate. The Certificate Request Wizard then installs the certificate for you. The certificate is stored in the Personal\Certificates node in the machine account’s certificate store.
The certificate is not stored in the logged on users account. This is one of the most common errors administrators run into when managing certificates. The machine uses the certificate to identify itself to users and machines that request identification.
· Make an offline request
If you do not have an enterprise CA, you can use an offline request. You need to use an offline request if the server requesting the certificate does not belong to the same domain as an enterprise CA or does not trust that domain, if you are using a standalone CA, or if you obtain a certificate from a commercial third party certificate provider.
The offline request is saved as a file and submitted to the untrusted enterprise CA, the standalone CA or the third party certificate provider. The CA issues a certificate and then you manually install the certificate into the machine store and bind it to the Exchange Service that you want to secure using SSL/TLS.
The remainder of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document covers detailed procedures for obtaining Web site certificates via online and offline requests.
Obtaining a Web Certificate from an Online Certificate Authority (CA) – Microsoft Enterprise CA
The Web site certificate can be bound to any IIS or Exchange Server service that supports SSL/TLS encryption. In the following example we will request a Web site certificate for the IIS SMTP service. You use the same procedures when obtaining a certificate for any other IIS or Exchange mail service (NNTP, SMTP, IMAP4 and POP3). The only difference is that you access the Certificate Request Wizard from a different service’s Properties dialog box.
The following procedure describes how to submit a request to an online certification authority. The online certificate authority is an enterprise CA belonging to the same domain as the machine requesting the certificate, or a domain that the machine trusts.
When the certificate request completes, a Web site certificate is placed into the machine’s Personal\Certificates certificate store and the certificate is bound to the Web site. Any certificate located in the machine’s Personal/Certificates certificate store that is able to provide server authentication can be bound to the IIS or Exchange service.
Perform the following steps to create the online request and install the certificate:
1. In the Internet Information Service (IIS) Manager console, right click on the service you want to obtain the certificate for and click the Properties command (figure 1).
2. In the service’s Properties dialog box, click on the Access tab. On the Access tab, click on the Certificate button in the Secure communication frame (figure 2).
3. Read the information on the Welcome to the Web Server Certificate Wizard page and click Next (figure 3).
On the Server Certificate page, select the option that fits your requirements (figure 4). You have the following options:
Create a new certificate
This allows you to request a new certificate for the SMTP virtual server. If you do not already have a certificate, then this is the option you should select.
Assign an existing certificate
If you already have a certificate for this virtual server, then you can bind the certificate to the SMTP virtual server using this option. The certificate must already be installing into the machine’s certificate store
Import a certificate from a Key Manager backup file
If you have a certificate from an IIS 4.0 site, you can import the certificate from a Key Manager backup file using this option
Import a certificate from a .pfx file
If you have a certificate that has been exported with its private key into a .pfx file from another site, you can import that certificate into the machine’s certificate store and assign it to the virtual SMTP server
Copy or Move a certificate from a remote server to this site
If you have another server with the same certificate, and you want to use that same certificate on this virtual SMTP server, then select this option. The server should be located somewhere on the internal network.
We do not have a certificate for this virtual SMTP server, so we must request a new certificate. Select the Create a new certificate option and click Next.
5. Select the Send the request immediately to an online certificate authority option on the Delayed or Immediate Request page (figure 5). This allows the Wizard to automatically forward the request to the enterprise CA on the internal network. The Prepare the request now, but send it later option creates a text file that you can submit to any CA and obtain a certificate. You must then manually install the certificate after you receive it. Click Next.
6. Type in a “friendly name” in the Name text box on the Name and Security Settings page (figure 6). This is a descriptive name only and does not affect the functionality of the certificate. Chose a bit length for the encryption key. The longer the bit length, the more processor intensive the encryption process will be. The default value of 1024 is reasonably secure. Click Next.
7. Type an Organization and Organizational unit name in the text boxes provided on the Organizational Information page (figure 7). Click Next.
8. The Your Site’s Common Name page is very important and the correct Common name must be entered into the text box (figure 8). The common name is the name the client application uses to connect to the site. For example, if the common name on the certificate is smtpauth.internal.net. then the client must connect to the service using this name.
In addition, this name must resolve to the IP address listening for the service using this certificate. In our current example, the SMTP service is listening on 22.214.171.124. The fully qualified domain name smtpauth.internal.net must resolve to 126.96.36.199 so that the client can send the request to the correct IP address the virtual SMTP server is listening on.
Note that the client software must be configured to use the FQDN of the service and not the IP address. The client needs to match the name on the certificate the service presents to it with the name you configured the client to connect to. You will see an error message on the client if these names do not match.
Enter the correct FQDN in the Common name text box and click Next.
9. Type in a State/province and City/locality on the Geographical Information page (figure 9). Use the drop down list box to select a Country/Region. Click Next.
10. Your enterprise CA will appear in the Certificate authorities drop down list box on the Choose a Certificate Authority page (figure 10). If you have more than a single enterprise CA on the network, you can choose one of them from the list. In this example we have a single enterprise CA, so we will go with the default. Click Next.