How to Obtain a Web Site Certificate

 

You can secure communications between an email client and many of the Exchange Server or IIS services using SSL/TLS encryption. Mail-related services that can be secured include:

 

• IIS SMTP service
• Exchange SMTP service
• Exchange NNTP service
• Exchange POP3 service
• Exchange IMAP4 service
• Exchange Outlook Web Access

 

Secure communications protect both user credentials and data moving through the secure channel. There are two basic requirements that must be met before you can secure data using SSL/TLS encryption between the email client and mail-related service:

 

• The mail-related service must have a Web site certificate bound to it
• The mail client must trust the CA (certificate server) that issued the certificate to the mail-related service. You do this by placing the Root CA cert for your organization into the Trusted Root Certification Authorities node on the email client.

 

You can obtain a Web site certificate using one of two methods:

 

·         Make a request to an online Certificate Authority (CA)

 

You can make an online request to an enterprise CA if the site is a member of the same domain as the CA. The Certificate Request Wizard will automatically send the request to the online enterprise CA and the enterprise CA will immediately issue the certificate. The Certificate Request Wizard then installs the certificate for you. The certificate is stored in the Personal\Certificates node in the machine account’s certificate store.

 

Note:
The certificate is not stored in the logged on users account. This is one of the most common errors administrators run into when managing certificates. The machine uses the certificate to identify itself to users and machines that request identification.

 

·         Make an offline request

 

If you do not have an enterprise CA, you can use an offline request. You need to use an offline request if the server requesting the certificate does not belong to the same domain as an enterprise CA or does not trust that domain, if you are using a standalone CA, or if you obtain a certificate from a commercial third party certificate provider.

 

The offline request is saved as a file and submitted to the untrusted enterprise CA, the standalone CA or the third party certificate provider. The CA issues a certificate and then you manually install the certificate into the machine store and bind it to the Exchange Service that you want to secure using SSL/TLS.

 

 

The remainder of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document covers detailed procedures for obtaining Web site certificates via online and offline requests.

 

Obtaining a Web Certificate from an Online Certificate Authority (CA) – Microsoft Enterprise CA

 

The Web site certificate can be bound to any IIS or Exchange Server service that supports SSL/TLS encryption. In the following example we will request a Web site certificate for the IIS SMTP service. You use the same procedures when obtaining a certificate for any other IIS or Exchange mail service (NNTP, SMTP, IMAP4 and POP3). The only difference is that you access the Certificate Request Wizard from a different service’s Properties dialog box.

 

The following procedure describes how to submit a request to an online certification authority. The online certificate authority is an enterprise CA belonging to the same domain as the machine requesting the certificate, or a domain that the machine trusts.

 

When the certificate request completes, a Web site certificate is placed into the machine’s Personal\Certificates certificate store and the certificate is bound to the Web site. Any certificate located in the machine’s Personal/Certificates certificate store that is able to provide server authentication can be bound to the IIS or Exchange service.

 

Perform the following steps to create the online request and install the certificate:

 

1.       In the Internet Information Service (IIS) Manager console, right click on the service you want to obtain the certificate for and click the Properties command (figure 1).

 

Figure 1

 

 

2.       In the service’s Properties dialog box, click on the Access tab. On the Access tab, click on the Certificate button in the Secure communication frame (figure 2).

 

Figure 2

 

 

3.       Read the information on the Welcome to the Web Server Certificate Wizard page and click Next (figure 3).

 

Figure 3

 

 

4.       On the Server Certificate page, select the option that fits your requirements (figure 4). You have the following options:

 

Create a new certificate

This allows you to request a new certificate for the SMTP virtual server. If you do not already have a certificate, then this is the option you should select.

Assign an existing certificate

If you already have a certificate for this virtual server, then you can bind the certificate to the SMTP virtual server using this option. The certificate must already be installing into the machine’s certificate store

Import a certificate from a Key Manager backup file

If you have a certificate from an IIS 4.0 site, you can import the certificate from a Key Manager backup file using this option

Import a certificate from a .pfx file

If you have a certificate that has been exported with its private key into a .pfx file from another site, you can import that certificate into the machine’s certificate store and assign it to the virtual SMTP server

Copy or Move a certificate from a remote server to this site

If you have another server with the same certificate, and you want to use that same certificate on this virtual SMTP server, then select this option. The server should be located somewhere on the internal network.

 

We do not have a certificate for this virtual SMTP server, so we must request a new certificate. Select the Create a new certificate option and click Next.

 

Figure 4

 

 

5.       Select the Send the request immediately to an online certificate authority option on the Delayed or Immediate Request page (figure 5). This allows the Wizard to automatically forward the request to the enterprise CA on the internal network. The Prepare the request now, but send it later option creates a text file that you can submit to any CA and obtain a certificate. You must then manually install the certificate after you receive it. Click Next.

 

Figure 5

 

 

6.       Type in a “friendly name” in the Name text box on the Name and Security Settings page (figure 6). This is a descriptive name only and does not affect the functionality of the certificate. Chose a bit length for the encryption key. The longer the bit length, the more processor intensive the encryption process will be. The default value of 1024 is reasonably secure. Click Next.

 

Figure 6

 

 

7.       Type an Organization and Organizational unit name in the text boxes provided on the Organizational Information page (figure 7). Click Next.

 

Figure 7

 

8.       The Your Site’s Common Name page is very important and the correct Common name must be entered into the text box (figure 8). The common name is the name the client application uses to connect to the site. For example, if the common name on the certificate is smtpauth.internal.net, then the client must connect to the service using this name.

 

In addition, this name must resolve to the IP address listening for the service using this certificate. In our current example, the SMTP service is listening on 131.107.0.3. The fully qualified domain name smtpauth.internal.net must resolve to 131.107.0.3 so that the client can send the request to the correct IP address the virtual SMTP server is listening on.

 

Note that the client software must be configured to use the FQDN of the service and not the IP address. The client needs to match the name on the certificate the service presents to it with the name you configured the client to connect to. You will see an error message on the client if these names do not match.

 

Enter the correct FQDN in the Common name text box and click Next.

 

Figure 8

 

9.       Type in a State/province and City/locality on the Geographical Information page (figure 9). Use the drop down list box to select a Country/Region. Click Next.

 

Figure 9

 

10.   Your enterprise CA will appear in the Certificate authorities drop down list box on the Choose a Certificate Authority page (figure 10). If you have more than a single enterprise CA on the network, you can choose one of them from the list. In this example we have a single enterprise CA, so we will go with the default. Click Next.

 

Figure 10

 

 

11.   Review the information on the Certificate Request Submission page (figure 11). Confirm that the Common Name (listed as the Issued To entry on this page) matches the name users will use to access this virtual SMTP server. Click Next.

 

Figure 11

 

 

12.   Click Finish on the Completing the Web Server Certificate Wizard page (figure 12).

 

Figure 12

 

The service now has a server certificate bound to it and can be configured to use TLS to protect credentials and data between itself and the mail or Web client.

 

 

 

Obtaining a Web Site Certificate from an Offline CA

 

If you do not have an enterprise CA online, or if you prefer to use a third party CA to provide your server certificate, then you can create an offline request and submit that request to either a standalone Microsoft Certificate Server or to a third party certificate provider.

 

1. Open the Internet Services Manager and right click on the service you want to bind the certificate to (figure 13). Click on the Properties command.

 

Figure 13

 

2. In the service’s Properties dialog box, click on the Access tab. On the Access tab, click on the Certificate button in the Secure communication frame (figure 14).

 

Figure 14

 

3. Read the information on the Welcome to the Web Server Certificate Wizard page and click Next (figure 15).

 

Figure 15

 

13.   On the Server Certificate page, select the option that fits your requirements (figure 16). You have the following options:

Create a new certificate

This allows you to request a new certificate for the SMTP virtual server. If you do not already have a certificate, then this is the option you should select.

Assign an existing certificate

If you already have a certificate for this virtual server, then you can bind the certificate to the SMTP virtual server using this option. The certificate must already be installing into the machine’s certificate store

Import a certificate from a Key Manager backup file

If you have a certificate from an IIS 4.0 site, you can import the certificate from a Key Manager backup file using this option

Import a certificate from a .pfx file

If you have a certificate that has been exported with its private key into a .pfx file from another site, you can import that certificate into the machine’s certificate store and assign it to the virtual SMTP server

Copy or Move a certificate from a remote server to this site

If you have another server with the same certificate, and you want to use that same certificate on this virtual SMTP server, then select this option. The server should be located somewhere on the internal network.

 

We do not have a certificate for this virtual SMTP server, so we must request a new certificate. Select the Create a new certificate option and click Next.

 

Figure 16

 

4. Select the Prepare the request now, but sent it later option (figure 17). This option allows you to configure the certificate parameters and save them in a text file. The contents of the text file can then be submitted to your standalone CA or a third party certificate provider. Click Next.

 

Figure 17

 

5. Type in a “friendly name” in the Name text box on the Name and Security Settings page (figure 18). This is a descriptive name only and does not affect the functionality of the certificate. Chose a bit length for the encryption key. The longer the bit length, the more processor intensive the encryption process will be. The default value of 1024 is reasonably secure. Click Next.

 

Figure 18

 

6. Type an Organization and Organizational unit name in the text boxes provided on the Organizational Information page (figure 19). Click Next.

 

Figure 19

 

7. The Your Site’s Common Name page is very important and the correct Common name must be entered into the text box (figure 20). The common name is the name the client application uses to connect to the site. For example, if the common name on the certificate is smtpauth.internal.net, then the client must connect to the service using this name.

 

In addition, this name must resolve to the IP address listening for the service using this certificate. In our current example, the SMTP service is listening on 131.107.0.3. The fully qualified domain name smtpauth.internal.net must resolve to 131.107.0.3 so that the client can send the request to the correct IP address the virtual SMTP server is listening on.

 

Note that the client software must be configured to use the FQDN of the service and not the IP address. The client needs to match the name on the certificate the service presents to it with the name you configured the client to connect to. You will see an error message on the client if these names do not match.

 

Enter the correct FQDN in the Common name text box and click Next.

 

Figure 20

 

8. Type in a State/province and City/locality on the Geographical Information page (figure 21). Use the drop down list box to select a Country/Region. Click Next.

 

Figure 21

 

9. On the Certificate Request File Name page (figure 22), you can type in a file name and path for the certificate request or accept the default. The default location and name is c:\certreq.txt. You will need to access the contents of this file to submit your certificate request to a CA. Click Next.

 

Figure 22

 

10. Review the information on the Request File Summary page (figure 23), then click Next.

 

Figure 23

 

11. Click Finish on the Completing the Web Server Certificate Wizard page (figure 24).

 

Figure 24

 

12. Click OK in the service’s Properties dialog box (figure 25).

 

Figure 25

 

 

The next step is to submit the certificate request to a certification authority. If you are using a Windows 2000 or Windows Server 2003 standalone or enterprise Certificate Server, then you can submit the certificate request via the CA’s Web enrollment site. The procedure is similar when you submit the request to a third party certificate provider. The common element to the procedure is to copy the text in the certificate request file to the Web enrollment site of the provider.

 

Perform the following steps to submit the certificate request to a Microsoft Certificate Server Web enrollment site:

 

1.       Open Internet Explorer and type in the URL http://<address_of_CA>/certsrv and press ENTER. The address of the CA can be an IP address, server name, or FQDN. In this example (figure 26) we use the IP address of the CA on the internal network. The CA will ask for credentials. Enter your credentials and click OK.

 

Figure 26

 

2.       If you are making the request from Internet Explorer located on a Windows Server 2003 machine, you will be presented with an Internet Explorer dialog box warning you that the enhanced Internet Explorer security has blocked the site. Click the Add button (figure 27).

 

Figure 27

 

3.       In the Trusted site dialog box (figure 28), click the Add button to add the Certificate Server site to the list of trusted sites. Click Close.

 

Figure 28

 

4.       On the Microsoft Certificate Services page, click the Request a certificate link (figure 29).

 

Figure 29

 

5.       On the Request a Certificate page, click the advanced certificate request link (figure 30).

 

Figure 30

 

6.       On the Advanced Certificate Request page (figure 31), click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

 

Figure 31

 

7.       You can paste the contents of the certificate request file into the Save Request text box on the Submit a Certificate Request or Renewal Request page (figure 32). Note that you can not use the Browse for a file to insert link to insert the request because the default security settings on the browser will not allow you to do so.

 

Figure 32

 

8.       Open the certificate request file and press CTRL+A to select the entire contents of the file (figure 33). Press CTRL+C or right click on the selected region and click the Copy command to copy the contents of the file onto the Windows clipboard.

 

Figure 33

 

9.       Return to the Submit a Certificate Request or Renewal Request Web page. Position the insertion point at the top left of the text box on the page (figure 34). Press CTRL+V or right click at the insertion point and click the Paste command.

 

Figure 34

 

10.   The contents of the certificate request file are entered into the request text box (figure 35). Click the down arrow for the Certificate Template drop down list and select the Web Server certificate template. Click Submit.

 

Figure 35

 

11.   Click Yes on the Internet Explorer dialog box that warns you that you’re sending unencrypted data over the network (figure 36).

 

Figure 36

 

12.   On the Certificate Issued page (figure 37), click the Download Certificate Chain link. Click Save on the File Download dialog box.

 

Figure 37

 

13.   Save the file to a location on the local hard disk (figure 38).

 

Figure 38

 

14.   Click the Close button on the Download Complete dialog box after saving the certificate to the local hard disk (figure 39).

 

Figure 39

 

 

Downloading the certificate chain provides you with both the Web site certificate you requested and the CA certificate. You can place the CA certificate into the Trusted Root Certification Authorities certificate store if it is not already in place.

 

The final step is to bind the certificate to the service. Perform the following steps to bind the Web site certificate to the service you want to secure:

 

1.       Open the Internet Information Services (IIS) Manager console, right click on the service you want to bind the certificate to, and click the Properties command (figure 40).

 

Figure 40

 

2.       Click on the Access tab on the services Properties dialog box (figure 41). Click the Certificate button in the Secure communication frame.

 

Figure 41

 

3.       Click Next on the Welcome to the Web Server Certificate Wizard page (figure 42).

 

Figure 42

 

4.       On the Pending Certificate Request page (figure 43), select the Process the pending request and install the certificate open. Click Next.

 

Figure 43

 

5.       On the Process a Pending Request page, use the Browse button to locate and select the Web site certificate you requested. The path and name of the certificate will appear in the Path and file name text box (figure 44). Click Next.

 

Figure 44

 

6.       Review the information regarding the certificate on the Certificate Summary page (figure 45). Then click Next.

 

Figure 45

 

7.       Click Finish on the Completing the Web Server Certificate Wizard page (figure 46).

 

Figure 46

 

8.       Click OK on the service’s Properties page (figure 47).

 

Figure 47

 

 

Restart the service. Properly configured clients will now be able to establish SSL/TLS secured connections with the service.