Home » Exchange 2010

Screencast: How to Generate and Install Self-Signed Multiple Domain (UCC) Certificate in Exchange 2010

The self-signed certificate which is generated during Exchange 2010 setup has several major flaws:
-It uses the short NetBIOS name of Exchange Client Access server as a Common Name (CN). Fig 1Exchange 2010 default certificate uses NetBIOS name as Common Name
-It includes only Exchange NetBIOS and internal FQDN (Fully Qualified Domain name) as Subject Alternative Names (SAN). Fig 2Includes only NetBIOS and Internal FQDN as SAN
-It is not trusted by the clients.

This affects mainly the remote clients, as installing the certificate in their Trusted Root certificates store does not resolve the problem – Exchange 2010 external host name is not included as a SAN. As a result:
– Remote clients get a security warning when accessing Outlook Web App (OWA).
– Outlook Anywhere is not working.

This certificate is considered as a temporary solution and it is recommended to replace it as soon as possible. We have already demonstrated how to install GoDaddy Multiple Domain/UCC SSL certificate and how to renew an expired one in Exchange 2010. Buying a commercial multiple domain certificate doesn’t make a lot of sense when you configure a test network or if you have just a handful of remote clients.

In this Screencast, we will demonstrate how to generate and install a self-signed Multiple Domain SSL certificate in Exchange 2010. The Self-signed certificate issues discussed above will be addressed by:
– Configuring Exchange 2010 external host name as the Common Name. Fig 3Uses Exchange External host name as Common name
– Adding the required Subject Alternative Names (ex. autodiscover.yourdomain.com). Fig 4Includes the SAN that we need
– Creating a Group Policy and adding the certificate as a trusted root certificate to all domain clients.
– Publishing the Self-signed Multiple Domain Certificate with its public key on the Web server running Exchange OWA, where remote clients are able to download it and install it in their local certificate store.

Even if you have a commercial UCC, which is about to expire or is expired (as it is in our demo), you can consider installing a self-signed one as a temporary (or permanent – depending on your configuration) solution.
For your convenience, we have published the text file with the commands which we are using in the Screencast here .

Click to play 1 video
Step 1 In this step, we take a look at our expired commercial UCC and at the Self-signed certificate generated by the Exchange 2010. Then, we generate a new Self-signed Multiple Domain Exchange certificate.

Click to play 2 video
Step 2 We export the generated UCC with the public key and create a Group Policy to add it as a trusted certificate to all domain clients.

Click to play 3 video
Step 3 In the last step, we publish the exported certificate with its public key to the web server running OWA. Then we download and install the Self-signed multiple domain certificate on a remote client. Finally, we test the certificate with OWA and Outlook Anywhere.

NetoMeter Screencasts

Step-by-Step Video Tutorials

Useful Links

netometer logo

Edtior's Picks

Latest Articles

©2024 NetoMeter All Right Reserved.