section header
guarantee

CSR creation for Exchange 2010


Ask us your questions

Background

Microsoft recommends all communications of Exchange 2010 to be secured by SSL. By default Exchange comes with a self-signed certificate, which provides encryption, but does not provide trust. In this default configuration communication is not secure as it susceptable to man in the middle attacks. Because of this web browsers and email programs will prevent communication or display error messages when communicating with  Exchange in this default configuration.    

To get full security, the self-signed certificate has to be replaced by a certificate signed by a trusted CA. Since Exchange provides services on several Domain Names, you need a SAN certificate; SAN certificates can secure several domain names whilst ordinary certificates will secure only a single domain name.

CSR Creation Process

You will need a complete list of Domain Names or SANs (Subject Alternative Names) that need securing to create the CSR and order the certificate. These are the domain names that will be used to access Exchange services. Check the following to make sure you have a complete list:

  • The external and/or internal Domain Name for Outlook Web Access
  • The external and/or internal Domain Name for Exchange ActiveSync
  • The external and/or internal Domain Name for Autodiscover, Outlook Anywhere, Web Services
  • The external and/or internal Domain Name for POP, IMAP
  • The external and/or internal for Unified Messaging Server
  • The external and/or internal for Hub Transport Server
  • The external and/or internal for Federation Sharin

Note that all domain names must be Fully Qualified Domain Names (FQDN) and that subdomains are not automatically secured.

With Exchange 2010 the CSR Command Generation command can only display the CSR and cannot save the CSR directly into a file. Use the two commands below to ensure you have a copy of the CSR saved in a file:

[PS] C:\>$Data=new-exchangecertificate  -generaterequest -keysize 2048 -subjectname "c=GB, s=My State, l=My city, o=My organization, or=Provided by SSL247, cn=www.mydomain.co.uk" -DomainName SAN1, SAN2, SAN3, server.local, autodiscover.mydomain.co.uk, sub-domains.mydomain.co.uk  -privatekeyexportable:$True
[PS] C:\>Set-Content -path "c:\my_domain_co.uk.txt" -Value $Data

Once you have created the CSR, you are ready to place the order on the SSL247 website. During the order process you will need to copy and paste the CSR into the order form.

VeriSign

VeriSign seals are viewed up to 250 million times a day on more than 90,000 Web sites in 160 countries and in search results on enabled browsers as well as partner shopping sites and product review pages. When Web site visitors see the VeriSign Trust Seal, they are less likely to abandon a transaction and more likely to do business with you online.

Thawte
Geotrust
GlobalSign
RapidSSL
  • verisign
  • geotrust
  • thawte
  • globalsign