Thursday, 21 June 2012

SSL and Self-Signed Certs for Exchange 2003

For the next stage of this lab build, I wanted to look at configuring SSL on the exchange 2003 Front-End server, to support RPC over HTTPS, and secure OWA access.

First, I logged onto the Exchange 2003 Front-End server and opened up IIS, went into properties for the default web site, and onto the Directory Security tab.
From here I clicked on Server Certificate, and chose create a new certificate.
Then selected prepare the request now but send it later.
Next, I entered a name for the certificate and set the encryption key bit length to 4096.
I kept the Organisation and OU at their defaults.
For the sites common name, I opted for a FQDN that I can add to internal DNS.
On the next screen, I entered locality information, then kept the output file and location settings at their defaults.
Finally, you are presented with a summary screen, displaying the options selected.
Once the certreq.txt file had been created, I opened up IE and navigated to the certificate services web enrolment site that was created by the steps in my previous post.  Here I selected Request a certificate.
Then advanced certificate request.
Then "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
 After that, I pasted the contents of the certreq.txt file  into the saved request field, and set the certificate template to web server.
Next, I opted for the base64 encoded certificate, and downloaded it to the Front-End server.
Back in IIS, I went back to directory security, and into server certificates.  Here I opted to Process the pending request.
I pointed the wizard at the .cer file I had just downloaded.
Then left the SSL port at the default of 443.
A summary is then displayed again, and after that, clicking finish completes the wizard.  After that, I selected the edit button on the directory security tab under secure communications and enabled Require SSL and Require 128-bit Encryption.
I then checked the trusted root certificates store to verify the root CA had been added correctly.  It had, however, on checking the properties an error was displayed stating "the integrity of this certificate cannot be guaranteed".
Looking into this error further, it was down to the signing algorithm I had selected when deploying the CA (SHA-512).  Microsoft have a hotfix available which I applied and allowed the root CA to pass validation.  I was a little bit disappointed that this hotfix wasn't part of the many updates I had already applied, as my main reason for choosing SHA-512 (A SHA-2 variant) was that SHA-1 is no longer recommended for signing digital signatures.
Anyway, after the hotfix, I verified OWA access was working over SSL using the FQDN I'd entered earlier - it was and all was looking good.
I then also took a look at the certification path and verified all was as expected - it was.
As a final step I went back into ESM, and properties for the HTTP VS.  Here I enabled forms based authentication.
I then closed and re-opened IE and verified I was seeing the forms based authentication login, and login was working correctly using forms based auth - everything looked good.

No comments:

Post a Comment