[ExchangeList] Re: Request and install client license for CAS

  • From: "raj nair" <rajnair7@xxxxxxxxx>
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Wed, 20 Aug 2008 20:08:20 +0530

Well i had read abt the san cert . But i think you can make it work with the integrated SSL that comes when you install exchange CAS.
As i said if we take " require client certicate" from iis manager it would connect if we type https:// fqdn of cas server/owa  and other virtual directories.
Am i wrong ?

On Wed, Aug 20, 2008 at 7:50 PM, James Chong <jchong@xxxxxxxxxxxxxx> wrote:

For 2007 you use the newssl that comes with-exchangecertificate cmdlet rather than from IISmgr or through the browser. You will need to get a third party cert not an internally generated cert.



Securing an Exchange 2007 Client Access Server using a 3rd party SAN Certificate





James Chong
Sr. Systems Engineer
Simplexity, LLC.

11130 Sunrise Valley Drive, Suite 300

Reston, VA 20191
O (703) 657-4612
C (703) 863-1483


From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of raj nair
Sent: Wednesday, August 20, 2008 5:39 AM
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] Request and install client license for CAS


Hello ,


Using windows 2003 enter edition having exchange 2007 client access server running on it. SSl comes by default in exchange 2007

i was trying to install a client certificate using certificate services. Installed enterprise root CA on DC . In the client access server, If i go to the IIS manager --> directory security tab and clear the checkbox that says " require client certificate" it works when i connect to owa, exchange virual directories.


  From what i understood we need a browser certificate .


Have referred some docs on certificate services


BUT when i go to http://localhost/certsrv it comes up with 2 options

1) submit user certifiacte

or submit and advanced client certificate


Advanced Certificate Request  says:

The policy of the CA determines the types of certificates you can request. Click one of the following options to:  

1)Create and submit a request to this CA.
2)Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
3)Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station.
Note: You must have an enrollment agent certificate to submit a request on behalf of another user. 


From http://support.microsoft.com/kb/315588/en-us

The server side is alreday there . so i think we have to go to the client certifiacte side. The following is extracted from that doc.

What it says in the doc is not coming up. i dont see an option for browser certificate at all.


Install a Client Certificate
In this section, you install a client-side certificate. You can use a certificate from any certificate authority, or you can use Microsoft Certificate Services to generate your own certificate.

To Request a Client-Side Certificate
1. Start Internet Explorer, and then browse to the following page:
2. Follow these steps in the wizard: a.  Click Request a Certificate, and then click Next.
b.  On the Choose Request Type page, click Web Browser Certificate, and then click Next.
c.  Type the required information. Make sure that you type MSDN in the Company text box.
d.  Click Submit to complete the request.
3. Close Internet Explorer.

To Issue a Client-Side Certificate
1. Start the Certificate Authority tool from the Administrative Tools program group.
2. Expand the node for your certificate authority, and then select Pending Requests.
3. Select the certificate request that you just submitted. On the Action menu, point to All Tasks, and then click Issue.
4. Confirm that the certificate appears in the Issued Certificates folder, and then double-click the certificate to view it.
5. On the Details tab, click Copy to File. Save the certificate as a Base-64 encoded X.509 certificate to C:\Clientcert.cer.
6. Close the Properties dialog box for the certificate.
7. Close the Certificate Authority tool.


To Install a Client-Side Certificate
1. Open Windows Explorer, and double-click Clientcert.cer to view the certificate file.
2. Follow these steps in the Certificate Import Wizard: a.  On the first page of the wizard, click Install Certificate, and then click Next.
b.  Select the Automatically select the certificate store based on the type of certificate check box, and then click Next.
c.  Click Finish to complete the wizard.
3. Dismiss the confirmation message box, and then click OK to close the certificate



Any help greatly appreciated.!






Other related posts: