How do I install an SSL Certificate into Microsoft Exchange 2007?
This tutorial will be given in 3 parts. All parts must be completed, but you may find that either Part I and/or Part II may already be completed depending on your security settings and the version of your Windows Server. If the certificate installation is a renewal of an already existing QuoVadis certificate, you may not need to do Parts I and II as you should already have the certificates. The intermediate files must also be installed to ensure that some browsers do not show a certificate error.
Part I - Installing the Intermediate (chaining) Certificates
Part I explains how to install the intermediate files that are required. QuoVadis uses various Intermediate certificates that must be installed on the server to prevent errors in certain browsers. You may want to go through these steps and if the intermediate certificates are not installed, then please obtain them and follow through with the rest of Part I. These files should have been included in the email that was sent with the certificate. If not, they have been included in this knowledge base article.
First you must open the Microsoft Management Console.
The Console1 window will appear.
In a new window, you will be given 3 options for which account you want the certificates snap-in to manage.
You should be back in the Console1 window. You will see that the Certificates (Local Computer) has been added on the left hand pane.
In the right hand pane, you should see a list of certificates. Verify that you have the QuoVadis Global SSL ICA G2 certificate in this list of certificate in the right hand pane. If you do have this certificate in the Intermediate Certification Authorities store, then you can skip to Part II. If you do not, then the next steps will guide you through the process of installing this file.
You should get a message that reads, "The import was successful."
Part II - Installing the Root Certificates
Generally, your Windows Server should have the QuoVadis Root certificates installed, however there have been cases where they have not been. When you install the SSL certificate, if the root certificate is not present, the system will prompt you to trust it, which will also install it. For Part II, you will be installing the QuoVadis Root Certification Authority and
the QuoVadis Root CA 2. which expires 2031. Part II assumes that you currently have the Microsoft Management Console open. If you do not, you can find the instructions in Part I of this guide, steps 1-9.
- Click on the "+" sign next to Certificates (Local Computer) to expand it (if it isn't already expanded).
In the right hand pane, you should see a list of certificates. Click on any certificate that you see and press the letter "Q" on your keyboard to fast-track to the QuoVadis root certificates. Verify that you have the QuoVadis Root CA 2 certificate in this list of certificates in the right hand pane. If you see the QuoVadis Root CA 2 certificate, please make sure that the expiry date of this certificate is 2031 and not 2017. If the certificate is present, then your website should not show any trust errors then you can skip to Part III. If you do not see this certificate in the Trusted Root Certification Authorities store, then the next steps will guide you through the process of installing this file.
You should get a message that reads, "The import was successful. "
Part III - Installing the Certificate
Part III explains how to install the SSL certificate. Installing the SSL certificate will be done using the Microsoft Exchange Management Shell tool.
- Place the certificate that you receive from QuoVadis directly in the root of the C: drive. Note: You can change the location of the certificate file other than the C: drive, however the "Import Certificate Command" will change from what is displayed in this article.
Import-ExchangeCertificate -Path C:\<certificate_file>.cer
Note: If you put the certificate file in another directory, then you will have to specify the exactly location and certificate file after the -Path string.
Get-ExchangeCertificate –DomainName "<mail.domain.com>"
Note: Please change the <mail.domain.com> directive to the Common Name (or URL) of the certificate you just installed.
Enable-ExchangeCertificate –ThumbPrint <certificate-thumbprint> -services "SMTP, IMAP, POP, IIS"
Note: The services that are shown in the example above is what is most frequently used. You can remove any service that you do not want to enable this certificate for. The list of services that you can choose from are IMAP, POP, UM, IIS, and SMTP.
OCSP Stapling Support
Although optional, it is highly recommended to enable OCSP Stapling which will improve the SSL handshake speed of your website.
Windows Server 2008 automatically utilizes OCSP Stapling by default. No additional configuration is required.
Article ID: 91, Created On: 01.02.2010, Modified: 11.04.2014