How do I install an SSL Certificate into Microsoft Exchange 2007?

Problem

How do I install an SSL Certificate into Microsoft Exchange 2007?

Resolution

This tutorial will be given in 4 parts.  All parts must be completed, but you may find that either Part II and/or Part III may already be completed depending on your security settings and the version of your Windows Server.  If the certificate installation is a renewal of an already existing QuoVadis certificate, you  may not need to do Parts II and III as you should already have the certificates.  The intermediate files must also be installed to ensure that some browsers do not show a certificate error.

Part I - Obtaining the Necessary Certificates

When you download your certificates from the Trust/Link download page, make sure that you download the Root CA certificate, the Intermediate certificate and your SSL certificate.  You can do this by clicking on the certificate icon (or the download link) next to each certificate section (see https://support.quovadisglobal.com/kb/a469/understanding-the-trust-link-downloads-page.aspx for more details).  This will download a *.crt file for each certificate.

Part II - Installing the Intermediate (chaining) Certificates

Part II explains how to install the intermediate files that are required.  QuoVadis uses various Intermediate certificates that must be installed on the server to prevent errors in certain browsers.  You may want to go through these steps and if the intermediate certificates are not installed, then please obtain them and follow through with the rest of Part II.  These files should have been included in the email that was sent with the certificate.  If not, they have been included in this knowledge base article.

First you must open the Microsoft Management Console.
  1. Click on Start and then Run.

  2. In the Run window, type MMC in the Open: field and click on the OK button.

  3. The Console1 window will appear.

  4. Click on File at the top and then select Add/Remove Snap-in...  Alternatively, you can press Ctrl + M.

  5. In the Add/Remove Snap-in window, click on the Add... button at the bottom.  This will open a third window named Add Standalone Snap-in.

  6. Scroll down in the Add Standalone Snap-in window and find the Certificates component.  Once found, highlight it and click on the Add button at the bottom.  Alternatively, you can double-click on Certificates.

  7. In a new window, you will be given 3 options for which account you want the certificates snap-in to manage.

  8. Select the Computer account radio button and click on the Next button.

  9. At the next screen, click on the Finish button.

  10. Back in the Add Standalone Snap-in window, click on the Close button.

  11. Click on the OK button in the Add/Remove Snap-in window.

  12. You should be back in the Console1 window.  You will see that the Certificates (Local Computer) has been added on the left hand pane.

  13. Click on the "+" sign next to Certificates (Local Computer) to expand it.

  14. Locate and expand the Intermediate Certification Authorities store and then click on the Certificates folder underneath it.

  15. Right-click on the Certificates folder underneath the Intermediate Certification Authorities folder and in the drop-down menu, select All Tasks and then click on Import.

  16. The Certificate Import Wizard will appear.  At the welcome screen, click on the Next button.

  17. You must specify the file to import.  Click on the Browse... button and find and select the intermediate certificate file you obtained from the Trust/Link download page.  Once selected, it should appear in the File name: field.  Click on the Next button.

  18. On the next screen, the option for Place all certificates in the following store should be selected by default and in the Certificate store: field should be Intermediate Certification Authorities.  Click on the Next button.

  19. At the summary screen, click on the Finish button.

  20. You should get a message that reads, "The import was successful."

Part III - Installing the Root Certificates

Generally, your Windows Server should have the QuoVadis Root certificates installed, however there have been cases where they have not been.  When you install the SSL certificate, if the root certificate is not present, the system will prompt you to trust it, which will also install it.  Part II assumes that you currently have the Certificate Snap-In on the Microsoft Management Console open.  If you do not, you can find the instructions in Part II of this guide, steps 1-11.
  1. Click on the "+" sign next to Certificates (Local Computer) to expand it (if it isn't already expanded).

  2. Locate and expand the Trusted Root Certification Authorities store and the click on the Certificates folder underneath it.

  3. Right-click on the Certificates folder underneath the Trusted Root Certification Authorities folder and in the drop-down menu, select All Tasks and then click on Import.

  4. The Certificate Import Wizard will appear.  At the welcome screen, click on the Next button.

  5. You must specify the file to import.  Click on the Browse... button and find and select the Root CA certificate file you obtained from the Trust/Link download page.  Once selected, it should appear in the File name: field.  Click on the Next button.

  6. On the next screen, the option for Place all certificates in the following store should be selected by default and in the Certificate store: field should be Trusted Root Certification Authorities.  Click on the Next button.

  7. At the summary screen, click on the Finish button.

  8. You should get a message that reads, "The import was successful."

Part IV - Installing the Certificate

Part IV explains how to install the SSL certificate. Installing the SSL certificate will be done using the Microsoft Exchange Management Shell tool.
  1. Place the certificate that you receive from QuoVadis directly in the root of the C: drive.

    Note: You can change the location of the certificate file other than the C: drive, however the "Import Certificate Command" will change from what is displayed in this article.

  2. Open the Exchange Management Shell.

  3. Run the following command:

  4. Import-ExchangeCertificate -Path C:\<certificate_file>.cer

    Note: If you put the certificate file in another directory, then you will have to specify the exactly location and certificate file after the -Path string.

  5. To enable the certificate you have just installed, we will need to reference in the thumbprint of the new certificate.  In order to do this, you will need to copy the thumbprint of the certificate to your clipboard.

  6. Enter in the following command to see the thumbprint.

  7. Get-ExchangeCertificate –DomainName "<mail.domain.com>"

    Note: Please change the <mail.domain.com> directive to the Common Name (or URL) of the certificate you just installed.

  8. Right click anywhere on the Exchange Shell Management and select Mark from the drop down menu.

  9. Next, highlight the entire string of letters and numbers underneath the Thumbprint heading that appears.  Press the Enter key when the Thumbprint is hightlighted.

  10. Next run the following command, making sure to right-click and paste in the thumbprint to replace the <certificate-thumprint>:

  11. Enable-ExchangeCertificate –ThumbPrint <certificate-thumbprint> -services "SMTP, IMAP, POP, IIS"

    Note: The services that are shown in the example above is what is most frequently used.  You can remove any service that you do not want to enable this certificate for.  The list of services that you can choose from are IMAP, POP, UM, IIS, and SMTP.

OCSP Stapling Support

Although optional, it is highly recommended to enable OCSP Stapling which will improve the SSL handshake speed of your website.

Windows Server 2008 automatically utilizes OCSP Stapling by default.  No additional configuration is required.

You can read up on more on OCSP Stapling at https://support.quovadisglobal.com/KB/a415/what-is-ocsp-stapling.aspx.

Add Feedback