Entrust Certificate Services Support Knowledge Base

Audience: Administrator
Last Modified: 2009-05-25 14:21:53.0

TN 7031 - How to install an Entrust Unified Communications Certificate (UCC) in Microsoft Exchange Server 2007

Entrust Unified Communications Certificate (UCC) and Microsoft Exchange Server 2007 Guidelines

 

 

During the online enrollment process you will be required to provide Entrust Certificate Services with a Certificate Signing Request (CSR). This encrypted data is generated from your Microsoft Exchange  Server 2007 and contains information about your company and Exchange server.

 

It is important to review this guideline, as Entrust Certificate Services will use this information to generate your certificate.

 

 

To generate your Key Pair and Certificate Signing Request (CSR):

 

To generate an Entrust Unified Communications certificate (UCC) request within the Exchange Management Shell, you will use the New-ExchangeCertificate cmdlet.

 

To generate a certificate request, use the GenerateRequest parameter together with the Path parameter to define where the request file will be created. The resulting file will be a PKCS #10 request (.req) file.

 

The following examples show some typical certificate requests.

 

The first example generates a certificate request for Entrust’s Exchange server: mail1. The CN of the Subject Name contains the FQDN of the server:

 

New-ExchangeCertificate -GenerateRequest ?SubjectName “c=us, o=entrust inc., cn=mail1.entrust.com” -IncludeAcceptedDomains -Path c:\certificates\mail1.entrust.com.req

 

 

The second example generates a certificate request for  Entrust’s Exchange server, mail1.entrust has a Send connector on each Edge Transport server that has a FQDN of mail.entrust.com:

 

New-ExchangeCertificate -GenerateRequest -SubjectName “c=us, o=entrust inc., cn=mail1.entrust.com” -DomainName mail.entrust.com -Path c:\certificates\mail1.entrust.com.req

 

 

In both examples above, the SubjectName must contain country (c=), organizationName (o=), and commonName (cn=) with the following caveats:

 

• The company listed in the organizationName (o=) must own the domain name that appears in commonName (cn=) of your Web server.
• The commonName must be identical to the fully qualified domain name of the site for which you are requesting a certificate. Such as mail1.entrust.com

Notes:

• Do not specify the protocol (http://), any port numbers or pathnames in the Common Name (CN).
• You may choose to include locality, stateOrProvince, organizationalUnit in the commonName  but these fields are not required.
• Do not use the following characters in any of the fields in the Exchange Management Shell : > < ! @ # $ % ^ * ( ) ~ ? / \.

 

Parameters Defined:

 

New-ExchangeCertificate à Creates a new self-signed certificate or a new certificate request for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services.

 

-GenerateRequest à  Specifies the type of certificate object to create.

 

-SubjectName à  Specifies the Subject Name on the resulting certificate

 

- Path à Specifies a path of the resulting PKCS #10 request file

 

-IncludeAcceptedDomains à  Includes all the defined accepted domains in the domain names field

 

 

====================================================================================================

 

Installing your Entrust Unified Communications Certificate (UCC) into Microsoft Exchange Server 2007:

Your Entrust Unified Communications Certificate (UCC) will be sent to you in confirmation email with a link to retrieve the certificate. The certificate will be displayed in the following format:

 

-----BEGIN CERTIFICATE-----

MIIC4zCCAkygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBFMQs

wCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW

9uMRwwGgYDVQQDExNHVEUgQ3liZXJUcnVzdCBSb290MB4XD

YwZDAPBgNVHRMECDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIBB

jBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY2RwLmJhbHRp

bW9yZS5jb20vY2dpLWJpbi9DUkwvR1RFUm9vdC5jZ2kwDQY

JKoZIhvcNAQEFBQADgYEAgbZwffFU+FjjNYTSoUFyRAAysI

auOknVaLteQPQJxBGLMhXGdfejVBTWLb1UTFBQXNNCiqm8C

o+dYikuVB+0/1habRkb+k4vFe6tn5IvQMnfhZbSJNoXn5Il

GVDWQYlfC0/R1wjfv+U6rzTJbJ7WXX0Ka5jKLKuckXNvu7E

qOA4=

-----END CERTIFICATE-----

 

 

You will need to save it to your computer as a certificate file (.cer) or (.crt)

 

1.       Copy the Entrust Unified Communications Certificate (UCC) and be sure to include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines.

2.       Paste the Entrust Unified Communication Certificate into a text editor such as Notepad and ensure that the entire text is flushed to the left with no leading or trailing white space.

3.       Save the certificate file as .cer or .crt

4.       Once you have saved the certificate file to your computer, you must then install the certificate with the Import-ExchangeCertificate cmdlet.

 

      Important:   

      Do not use the Certificate snap-in to import the certificates for any service on an Exchange server. Using the Certificate snap-in to import certificates on Exchange servers will fail. Therefore, TLS or other Exchange certificate services will not work.

 

 

      The following example shows how to import a certificate for SMTP TLS:

     

      Import-ExchangeCertificate –Path c:\certificates\mail1.entrust.com.cer

Enable-ExchangeCertificate –Services SMTP

 

 

      Parameters defined:

 

      Import-ExchangeCertificate à Imports a certificate or chain of certificates that have been issued from a certification authority.

 

      –Path à Specifies a path of the file that you want to import.

 

      Enable-ExchangeCertificate à Enables and disables an existing certificate that is in the local certificate store for different services

 

      -Services à Specifies the services that will use the resulting certificate. Valid entries include a combination of the following:

·         IMAP

·         POP

·         UM

·         IIS

·         SMTP

·         None

 

5.   In order to see if your certificate has been installed and enabled for the right service, you can use the Get-ExchangeCertificate cmdlet:

      Get-ExchangeCertificate

      You will be shown a list of certificates including their thumbprint, the services they can be used for as well as the Subject name. In this case, the certificate with the thumbprint ending in D5765 has been enabled for SMTP, IMAP, POP3, and WEB but not for UM (Unified Messaging)

     

 

 

====================================================================================================

 

Backing up and Restoring your Entrust Unified Communications Certificate (UCC):

It is recommended that you backup your certificate and its corresponding private key in the event that there is a hardware failure or other disaster affecting your Exchange Server.

To backup your certificate and private key, you will Export these certificates using the Export-ExchangeCertificate cmdlet.

This cmdlet creates either of the following files:

• PKCS #10 file
• PKCS #12 file

If the thumbprint that is specified in the cmdlet, points to a certificate request, the Export-ExchangeCertificate cmdlet creates a PKCS#10 file – also known as your Certificate Signing Request file

 

If the thumbprint that is specified in the cmdlet, points to an actual certificate, the Export-ExchangeCertificate cmdlet creates a PKCS #12 file.

 

The thumbprint of the certificate can be displayed by using the Get-ExchangeCertificate cmdlet as shown in the Installing Certificate into Exchange 2007 document.

 

    

 

 

 

Exporting (backing up) your Entrust Unified Communications Certificate (UCC):

 

To export your certificate, use the following command

     Export-ExchangeCertificate -Thumbprint ?BinaryEncoded:$true -Path c:\certificates\mail.entrust.com.pfx -Password:(Get-Credential).password

 

Note:

Please store your keys and password in a secure location.

 

 

Export Parameters defined:

 

Export-ExchangeCertificate à Exports an existing certificate from the certificate store on the local computer

 

-Thumbprint à Specifies the thumbprint of the certificate that you are exporting. Each certificate contains a thumbprint, which is the digest of the certificate data.

 

-BinaryEncoded:$true à Specifies how the exported file will be encoded. By default, this cmdlet creates a Base64-encoded file.  To create a DER-encoded file, set this parameter to $true

 

-Path à Specifies a path of the resulting PKCS #10 file or PKCS #12 file. You must specify the name of the file when you use this parameter. For PKCS #10 (certificate request), the extension must be .req. For PKCS #12 (certificate), the extension must be .pfx or .p12. The following code shows examples of a PKCS #10 file or PKCS #12 file respectively:

 

-Password à Specifies the password for the key that will be exported with this command. Use the Get-Credential cmdlet to store the password variable. The Get-Credential cmdlet will prompt you for a user name and password, but only the password field is used to export or import the certificate. Therefore, you don't have to use a real domain name or user name in the Name field.  

 

 

 

Restoring (importing) your Entrust Unified Communications Certificate (UCC) and private key:

 

To restore or import your certificate and private key, you will import the certificate using the Import-ExchangeCertificate cmdlet. You will need to have the password used to create the certificate in the Backup/Export procedure.

 

Import-ExchangeCertificate –Path c:\certificates\mail.entrust.co.pfx –Password:(Get-Credential).password

 

You will be prompted for a username and password. The username is not important but the password must be the same password as used in the backup/Export procedure.

 

 

Import Parameters defined:

 

Import-ExchangeCertificate à Imports a certificate or chain of certificates that have been issued from a certification authority. To import an existing certificate and private key from a PKCS #12 (.pfx or .p12) file to the certificate store on the local computer.

 

-Password à Specifies the password for the key that will be imported with this command. Use the Get-Credential cmdlet to store the password variable. The Get-Credential cmdlet will prompt you for a user name and password, but only the password field is used to export or import the certificate. Therefore, you don't have to use a real domain name or user name in the Name field. 

 

 

Note:

For more detailed information regardging Microsoft Exchange Server 2007, please reference Microsoft's site at http://technet.microsoft.com/en-us/library/bb124558.aspx.

 

 

 

Affected Products:

• Entrust Certificate Services UCC SSL - 1 year Version Not Applicable English Windows
• Entrust Certificate Services UCC SSL - 2 year Version Not Applicable English Windows