Creating internal certificate for OWA with multiple URLs

Creating a certificate that supports multiple URLs for internal and external usage in Exchange OWA using an internal CA via Windows.

As a guide I used this article and also CertReq /?

Create a TXT file with the following content:

[NewRequest]
Subject = “CN=Exchange.Pastures.local”
Exportable = true
ExportableEncrypted = true
MachineKeySet = true
FriendlyName = “Pastures Exchange”

[RequestAttributes]

SAN = “ipaddress=10.106.1.20&dns=Autodiscover.Pastures.Local”
CertificateTemplate = WebServer

In the NewRequest section the following is important;

Friendly Name: Pick a unique one, so you can easily identify your CERT in IIS and the MMC SnapIn.
MachineKeySet: Very important to be able to use it via the machine account.

In the RequestAttributes section we do two things; First we give a list of Subject Alternative Names. These can contain anything but make sure to have it include important names like the autodiscover record (if hosted on this machine which is the default setting) and possibly external names and IP addresses. Secondly the CertificateTemplate is specified here, this is very important, if you use another template for your internal webservers then make sure to use that one. The one supplied here is the default.

note: If you are using a Windows 2008 R2 server as the Certificate Authority you can (and should) use Extended Validation, which can work with multiple URLs as well.

Use this file as the input for a CertReq -new command

CertReq -new request.txt request.req

Then run the following command to launch the request to the server and save your new file to Exchange.CER. Now use the MMC snap-in to import this into the personal folder of the Machine Account.

CertReq -Submit -attrib request.req exchange.cer

Set the certificate to be used by the website in IIS and you’re all set.

Leave a Reply

Your email address will not be published.