1

I need help generating a CSR for a Subject Alternative Name (SAN) SSL certificate to protect a new Exchange 2007 server. My main requirements are that Outlook Anywhere and OWA must work without any errors or warnings. It would be nice if the Outlook Anywhere Autodiscover service worked for Outlook 2007 clients as well.

I know there are many examples of the proper syntax for generating the CSR, but most examples assume that your Windows domain is named the same as your web domain. Here is what I think are the relevant pieces of information:

  • Internal Windows domain name: internalDomain.local
  • External web domain: externalDomain.com
  • Exchange Server computer name: Ex2k7
  • I would like to use 2048 bit SSL, unless there is a reason to use 1024
  • Exchange 2007 is running on a Server 2008 box

My remote clients will connect to my new Exchange server at mail.externalDomain.com.

My certificate was purchased from GoDaddy, and it works for OWA, but Outlook Anywhere is broken. If somebody could help me with the correct syntax for generating a CSR for my situation I would like to rekey my certificate.

Kyle Noland
  • 1,039
  • 3
  • 19
  • 21

2 Answers2

0

This is the correct syntax to use in the Exchange Management Shell for Exchange 2007 running on Server 2008. This command assumes that your Windows domain and web domain are not the same. If they are the same, you don't need to list as many Subject Alternative Names.

New-ExchangeCertificate -GenerateRequest -Path c:\cert.csr -KeySize 2048 -SubjectName "c=Whois Country, s=Whois State, l=Whois City, o=Whois Organization Name, cn=mail.externaldomain.com" -DomainName exchangeServerName, exchangeServerName.internalDomain.local, autodiscover.externalDomain.com, autodiscover.internalDomain.local -PrivateKeyExportable $True

Kyle Noland
  • 1,039
  • 3
  • 19
  • 21
-1

If the cert works for OWA, then your CSR is probably correct.

Have you added the _autodiscover SRV record to dns for the domains using Outlook Anywhere? In GoDaddy DNS for each of the domains that you want to enable Outlook Anywhere you should have the following values:

Service: _autodiscover
Protocol: _tcp
Name: @
Priority: 10
Weight: 2
Port: 443
Target: External_Exchange_Server_Url
TT: 1 Hour

You may need to configure the Outlook 2007 client manually:

  1. Tools->Accounts
  2. select the account and click the "Change" button
  3. Click the "More Settings..." button
  4. On the "Connections" tab, check the box to "Connect to Microsoft Exchange using HTTP"
  5. Click the "Exchange Proxy Settings" button
  6. Enter the URL to your exchange server
  7. Check the box "Only connect to proxy servers that have thsi principal name in their certificate:"
  8. Enter: msstd:External_Exchange_Server_URL
  9. Click "OK"

You may have to play around with the settings for a while to get it right, but it does work.

Jimmie R. Houts
  • 1,853
  • 1
  • 15
  • 12
  • Thanks for the feedback. I have the proper internal and external DNS records in place. My question was about the syntax for generating a proper CSR based on the requirements in my question. – Kyle Noland Jul 31 '09 at 22:40