Home Online 2013 2010 Other Versions Library Forums Gallery EHLO Blog TechNet Library

E change E change !er"er 2013 #ailbo an$ %lient &ccess !er"ers %lient &ccess !er"er Digital Certificates and SSL %reate a 'igital %erti(icate )e*uest E change 2013 %erti(icate #anagement +,

'igital %erti(icates an$ !!L

Other Versions !ecure !oc-ets Layer .!!L/ is a metho$ (or securing communications bet0een a client an$ a ser"er1 For E change !er"er 20132 !!L is use$ to hel3 secure communications bet0een the ser"er an$ clients1 %lients inclu$e mobile 3hones2 com3uters insi$e an organi4ation5s net0or-2 an$ com3uters outsi$e an organi4ation5s net0or-1 By $e(ault2 0hen you install E change 20132 client communications are encry3te$ using !!L 0hen you use Outloo- 6eb &332 E change &cti"e!ync2 an$ Outloo- &ny0here1 !!L re*uires you to use $igital certi(icates1 This to3ic summari4es the $i((erent ty3es o( $igital certi(icates an$ in(ormation about ho0 to con(igure E change 2013 to use these ty3es o( $igital certi(icates1 Contents O"er"ie0 o( $igital certi(icates 'igital certi(icates an$ 3ro ying 'igital certi(icates best 3ractices

O"er"ie0 o( $igital certi(icates

'igital certi(icates are electronic (iles that 0or- li-e an online 3ass0or$ to "eri(y the i$entity o( a user or a com3uter1 They5re use$ to create the !!L encry3te$ channel that5s use$ (or client communications1 & certi(icate is a $igital statement that5s issue$ by a certi(ication authority .%&/ that "ouches (or the i$entity o( the certi(icate hol$er an$ enables the 3arties to communicate in a secure manner using encry3tion1 'igital certi(icates $o the (ollo0ing7 They authenticate that their hol$ers83eo3le2 0ebsites2 an$ e"en net0or- resources such as routers8are truly 0ho or 0hat they claim to be1 They 3rotect $ata that5s e change$ online (rom the(t or tam3ering1 'igital certi(icates can be issue$ by a truste$ thir$93arty %& or a 6in$o0s 3ublic -ey in(rastructure .:;,/ using %erti(icate !er"ices2 or they can be sel(9signe$1 Each ty3e o( certi(icate has a$"antages an$ $isa$"antages1 Each ty3e o( $igital certi(icate is tam3er9 3roo( an$ can5t be (orge$1 %erti(icates can be issue$ (or se"eral uses1 These uses inclu$e 0eb user authentication2 0eb ser"er authentication2 !ecure<#ulti3ur3ose ,nternet #ail E tensions .!<#,#E/2 ,nternet :rotocol security .,:sec/2 Trans3ort Layer !ecurity .TL!/2 an$ co$e signing1

& certi(icate contains a 3ublic -ey an$ attaches that 3ublic -ey to the i$entity o( a 3erson2 com3uter2 or ser"ice that hol$s the corres3on$ing 3ri"ate -ey1 The 3ublic an$ 3ri"ate -eys are use$ by the client an$ the ser"er to encry3t the $ata be(ore it5s transmitte$1 For 6in$o0s9base$ users2 com3uters2 an$ ser"ices2 trust in a %& is establishe$ 0hen there5s a co3y o( the root certi(icate in the truste$ root certi(icate store an$ the certi(icate contains a "ali$ certi(ication 3ath1 For the certi(icate to be "ali$2 the certi(icate must not ha"e been re"o-e$ an$ the "ali$ity 3erio$ must not ha"e e 3ire$1

Ty3es o( certi(icates

There are three 3rimary ty3es o( $igital certi(icates7 sel(9signe$ certi(icates2 6in$o0s :;,9 generate$ certi(icates2 an$ thir$93arty certi(icates1

!el(9signe$ certi(icates
6hen you install E change 20132 a sel(9signe$ certi(icate is automatically con(igure$ on the #ailbo ser"ers1 & sel(9signe$ certi(icate is signe$ by the a33lication that create$ it1 The sub=ect an$ the name o( the certi(icate match1 The issuer an$ the sub=ect are $e(ine$ on the certi(icate1 This sel(9signe$ certi(icate is use$ to encry3t communications bet0een the %lient &ccess ser"er an$ the #ailbo ser"er1 The %lient &ccess ser"er trusts the sel(9signe$ certi(icate on the #ailbo ser"er automatically2 so no thir$93arty certi(icate is nee$e$ on the #ailbo ser"er1 6hen you install E change 20132 a sel(9signe$ certi(icate is also create$ on the %lient &ccess ser"er1 This sel(9signe$ certi(icate 0ill allo0 some client 3rotocols to use !!L (or their communications1 E change &cti"e!ync an$ Outloo- 6eb &33 can establish an !!L connection by using a sel(9signe$ certi(icate1 Outloo- &ny0here 0on5t 0or- 0ith a sel(9 signe$ certi(icate on the %lient &ccess ser"er1 !el(9signe$ certi(icates must be manually co3ie$ to the truste$ root certi(icate store on the client com3uter or mobile $e"ice1 6hen a client connects to a ser"er o"er !!L an$ the ser"er 3resents a sel(9signe$ certi(icate2 the client 0ill be 3rom3te$ to "eri(y that the certi(icate 0as issue$ by a truste$ authority1 The client must e 3licitly trust the issuing authority1 ,( the client con(irms the trust2 then !!L communications can continue1

Note: By default, the digital certificate installed on the Mailbox server or servers is a self-signed certificate. You dont need to replace the self-signed certificate on the Mailbox servers in your organization with a trusted third-party certificate. The lient !ccess server auto"atically trusts the self-signed certificate on the Mailbox server and no other configuration is needed for certificates on the Mailbox server.
Fre*uently2 small organi4ations $eci$e not to use a thir$93arty certi(icate or not to install their o0n :;, to issue their o0n certi(icates1 They might ma-e this $ecision because those solutions are too e 3ensi"e2 because their a$ministrators lac- the e 3erience an$ -no0le$ge to create their o0n certi(icate hierarchy2 or (or both reasons1 The cost is minimal an$ the setu3 is sim3le 0hen you use sel(9signe$ certi(icates1 Ho0e"er2 it5s much more $i((icult to establish an in(rastructure (or certi(icate li(e9cycle management2 rene0al2 trust management2 an$ re"ocation 0hen you use sel(9signe$ certi(icates1

6in$o0s 3ublic -ey in(rastructure certi(icates

The secon$ ty3e o( certi(icate is a 6in$o0s :;,9generate$ certi(icate1 & :;, is a system o( $igital certi(icates2 certi(ication authorities2 an$ registration authorities .)&s/ that "eri(y an$ authenticate the "ali$ity o( each 3arty that5s in"ol"e$ in an electronic transaction by using 3ublic -ey cry3togra3hy1 6hen you im3lement a :;, in an organi4ation that uses &cti"e 'irectory2 you 3ro"i$e an in(rastructure (or certi(icate li(e9cycle management2 rene0al2 trust management2 an$ re"ocation1 Ho0e"er2 there is some a$$itional cost in"ol"e$ in $e3loying ser"ers an$ in(rastructure to create an$ manage 6in$o0s :;,9generate$ certi(icates1 %erti(icate !er"ices are re*uire$ to $e3loy a 6in$o0s :;, an$ can be installe$ through Add Or Remove Programs in %ontrol :anel1 >ou can install %erti(icate !er"ices on any ser"er in the $omain1 ,( you obtain certi(icates (rom a $omain9=oine$ 6in$o0s %&2 you can use the %& to re*uest or sign certi(icates to issue to your o0n ser"ers or com3uters on your net0or-1 This enables you to use a :;, that resembles a thir$93arty certi(icate "en$or2 but is less e 3ensi"e1 These :;, certi(icates can5t be $e3loye$ 3ublicly2 as other ty3es o( certi(icates can be1 Ho0e"er2 0hen a :;, %& signs the re*uestor5s certi(icate by using the 3ri"ate -ey2 the re*uestor is "eri(ie$1 The 3ublic -ey o( this %& is 3art o( the certi(icate1 & ser"er that has this certi(icate in the truste$ root certi(icate store can use that 3ublic -ey to $ecry3t the re*uestor5s certi(icate an$ authenticate the re*uestor1 The ste3s (or $e3loying a :;,9generate$ certi(icate resemble those re*uire$ (or $e3loying a sel(9signe$ certi(icate1 >ou must still install a co3y o( the truste$ root certi(icate (rom the :;, to the truste$ root certi(icate store o( the com3uters or mobile $e"ices that you 0ant to be able to establish an !!L connection to #icroso(t E change1 & 6in$o0s :;, enables organi4ations to 3ublish their o0n certi(icates1 %lients can re*uest an$ recei"e certi(icates (rom a 6in$o0s :;, on the internal net0or-1 The 6in$o0s :;, can rene0 or re"o-e certi(icates1

Truste$ thir$93arty certi(icates

Thir$93arty or commercial certi(icates are certi(icates that are generate$ by a thir$93arty or commercial %& an$ then 3urchase$ (or you to use on your net0or- ser"ers1 One 3roblem 0ith sel(9signe$ an$ :;,9base$ certi(icates is that2 because the certi(icate is not automatically truste$ by the client com3uter or mobile $e"ice2 you must ma-e sure that you im3ort the certi(icate into the truste$ root certi(icate store on client com3uters an$ $e"ices1 Thir$93arty or commercial certi(icates $o not ha"e this 3roblem1 #ost commercial %& certi(icates are alrea$y truste$ because the certi(icate alrea$y resi$es in the truste$ root certi(icate store1 Because the issuer is truste$2 the certi(icate is also truste$1 +sing thir$9 3arty certi(icates greatly sim3li(ies $e3loyment1 For larger organi4ations or organi4ations that must 3ublicly $e3loy certi(icates2 the best solution is to use a thir$93arty or commercial certi(icate2 e"en though there is a cost associate$ 0ith the certi(icate1 %ommercial certi(icates may not be the best solution (or small an$ me$ium9si4e organi4ations2 an$ you might $eci$e to use one o( the other certi(icate o3tions that are a"ailable1 )eturn to to3

%hoosing a certi(icate ty3e

6hen you choose the ty3e o( certi(icate to install2 there are se"eral things to consi$er1 & certi(icate must be signe$ to be "ali$1 ,t can be sel(9signe$ or signe$ by a %&1 & sel(9signe$ certi(icate has limitations1 For e am3le2 not all mobile $e"ices let a user install a $igital certi(icate in the truste$ root certi(icate store1 The ability to install certi(icates on a mobile $e"ice $e3en$s on the mobile $e"ice manu(acturer an$ the mobile ser"ice 3ro"i$er1 !ome manu(acturers an$ mobile ser"ice 3ro"i$ers $isable access to the truste$ root certi(icate

store1 ,n this case2 neither a sel(9signe$ certi(icate nor a certi(icate (rom a 6in$o0s :;, %& can be installe$ on the mobile $e"ice1

'e(ault E change certi(icates

By $e(ault2 E change installs a sel(9signe$ certi(icate on both the %lient &ccess ser"er an$ the #ailbo ser"er so that all net0or- communication is encry3te$1 Encry3ting all net0orcommunication re*uires that e"ery E change ser"er ha"e an ?1@0A certi(icate that it can use1 >ou shoul$ re3lace this sel(9signe$ certi(icate on the %lient &ccess ser"er 0ith one that is automatically truste$ by your clients1 B!el(9signe$C means that a certi(icate 0as create$ an$ signe$ only by the E change ser"er itsel(1 Because it 0asn5t create$ an$ signe$ by a generally truste$ %&2 the $e(ault sel(9signe$ certi(icate 0on5t be truste$ by any so(t0are e ce3t other E change ser"ers in the same organi4ation1 The $e(ault certi(icate is enable$ (or all E change ser"ices1 ,t has a sub=ect alternati"e name .!&N/ that corres3on$s to the ser"er name o( the E change ser"er that it5s installe$ on1 ,t also has a list o( !&Ns that inclu$e both the ser"er name an$ the (ully *uali(ie$ $omain name .FD'N/ o( the ser"er1 &lthough other E change ser"ers in your E change organi4ation trust this certi(icate automatically2 clients li-e 0eb bro0sers2 Outloo- clients2 mobile 3hones2 an$ other email clients in a$$ition to e ternal email ser"ers 0on5t automatically trust it1 There(ore2 consi$er re3lacing this certi(icate 0ith a truste$ thir$93arty certi(icate on your E change %lient &ccess ser"ers1 ,( you ha"e your o0n internal :;,2 an$ all your clients trust that entity2 you can also use certi(icates that you issue yoursel(1

%erti(icate re*uirements by ser"ice

%erti(icates are use$ (or se"eral things in E change1 #ost customers also use certi(icates on more than one E change ser"er1 ,n general2 the (e0er certi(icates you ha"e2 the easier certi(icate management becomes1

,,!

&ll the (ollo0ing E change ser"ices use the same certi(icate on a gi"en E change %lient &ccess ser"er7 Outloo- 6eb &33 E change &$ministration %enter .E&%/ E change 6eb !er"ices E change &cti"e!ync Outloo- &ny0here &uto$isco"er

Outloo- &$$ress Boo- $istribution Because only a single certi(icate can be associate$ 0ith a 0ebsite2 an$ because all these ser"ices are o((ere$ un$er a single 0ebsite by $e(ault2 all the names that clients o( these ser"ices use must be in the certi(icate .or (all un$er a 0il$car$ name in the certi(icate/1

:O:<,#&:
%erti(icates that are use$ (or :O: or ,#&: can be s3eci(ie$ se3arately (rom the certi(icate that5s use$ (or ,,!1 Ho0e"er2 to sim3li(y a$ministration2 0e recommen$ that you inclu$e the :O: or ,#&: ser"ice name in your ,,! certi(icate an$ use a single certi(icate (or all these ser"ices1

!#T:
& se3arate certi(icate can be use$ (or each recei"e connector that you con(igure1 The certi(icate must inclu$e the name that !#T: clients .or other !#T: ser"ers/ use to reach that connector1 To sim3li(y certi(icate management2 consi$er inclu$ing all names (or 0hich you ha"e to su33ort TL! tra((ic in a single certi(icate1

'igital certi(icates an$ 3ro ying

:ro ying is the metho$ by 0hich one ser"er sen$s client connections to another ser"er1 ,n the case o( E change 20132 this ha33ens 0hen the %lient &ccess ser"er 3ro ies an incoming client re*uest to the #ailbo ser"er that contains the acti"e co3y o( the clientEs mailbo 1 6hen %lient &ccess ser"ers 3ro y re*uests2 !!L is use$ (or encry3tion but not (or authentication1 The sel(9signe$ certi(icate on the #ailbo ser"er encry3ts the tra((ic bet0een the %lient &ccess ser"er an$ the #ailbo ser"er1

)e"erse 3ro ies an$ certi(icates

#any E change $e3loyments use re"erse 3ro ies to 3ublish E change ser"ices on the ,nternet1 )e"erse 3ro ies can be con(igure$ to terminate !!L encry3tion2 e amine the tra((ic in the clear on the ser"er2 an$ then o3en a ne0 !!L encry3tion channel (rom the re"erse 3ro y ser"ers to the E change ser"ers behin$ them1 This is -no0n as !!L bri$ging1 &nother 0ay to con(igure the re"erse 3ro y ser"ers is to let the !!L connections 3ass straight through to the E change ser"ers behin$ the re"erse 3ro y ser"ers1 6ith either $e3loyment mo$el2 the clients on the ,nternet connect to the re"erse 3ro y ser"er using a host name (or E change access2 such as mail1contoso1com1 Then the re"erse 3ro y ser"er connects to E change using a $i((erent host name2 such as the machine name o( the E change %lient &ccess ser"er1 >ou $on5t ha"e to inclu$e the machine name o( the E change %lient &ccess ser"er on your certi(icate because most common re"erse 3ro y ser"ers are able to match the original host name that5s use$ by the client to the internal host name o( the E change %lient &ccess ser"er1

!!L an$ s3lit 'N!

!3lit 'N! is a technology that allo0s you to con(igure $i((erent ,: a$$resses (or the same host name2 $e3en$ing on 0here the originating 'N! re*uest came (rom1 This is also -no0n

as s3lit9hori4on 'N!2 s3lit9"ie0 'N!2 or s3lit9brain 'N!1 !3lit 'N! can hel3 you re$uce the number o( host names that you must manage (or E change by allo0ing your clients to connect to E change through the same host name 0hether they5re connecting (rom the ,nternet or (rom the intranet1 !3lit 'N! allo0s re*uests that originate (rom the intranet to recei"e a $i((erent ,: a$$ress than re*uests that originate (rom the ,nternet1 !3lit 'N! is usually unnecessary in a small E change $e3loyment because users can access the same 'N! en$3oint 0hether they5re coming (rom the intranet or the ,nternet1 Ho0e"er2 0ith larger $e3loyments2 this con(iguration 0ill result in too high o( a loa$ on your outgoing ,nternet 3ro y ser"er an$ your re"erse 3ro y ser"er1 For larger $e3loyments2 con(igure s3lit 'N! so that2 (or e am3le2 e ternal users access mail1contoso1com an$ internal users access internal1contoso1com1 +sing s3lit 'N! (or this con(iguration ensures that your users 0on5t ha"e to remember to use $i((erent host names $e3en$ing on 0here they5re locate$1

)emote 6in$o0s :o0er!hell

;erberos authentication an$ ;erberos encry3tion are use$ (or remote 6in$o0s :o0er!hell access2 (rom both the E change &$ministration %enter .E&%/ an$ the E change #anagement !hell1 There(ore2 you 0on5t ha"e to con(igure your !!L certi(icates (or use 0ith remote 6in$o0s :o0er!hell1 )eturn to to3

'igital certi(icates best 3ractices

&lthough the con(iguration o( your organi4ation5s $igital certi(icates 0ill "ary base$ on its s3eci(ic nee$s2 in(ormation about best 3ractices has been inclu$e$ to hel3 you choose the $igital certi(icate con(iguration that5s right (or you1

Best 3ractice7 +se a truste$ thir$93arty certi(icate

To 3re"ent clients (rom recei"ing errors regar$ing untruste$ certi(icates2 the certi(icate that5s use$ by your E change ser"er must be issue$ by someone that the client trusts1 &lthough most clients can be con(igure$ to trust any certi(icate or certi(icate issuer2 it5s sim3ler to use a truste$ thir$93arty certi(icate on your E change ser"er1 This is because most clients alrea$y trust their root certi(icates1 There are se"eral thir$93arty certi(icate issuers that o((er certi(icates con(igure$ s3eci(ically (or E change1 >ou can use the E&% to generate certi(icate re*uests that 0or- 0ith most certi(icate issuers1

Ho0 to select a certi(ication authority

& certi(ication authority .%&/ is a com3any that issues an$ ensures the "ali$ity o( certi(icates1 %lient so(t0are .(or e am3le2 bro0sers such as #icroso(t ,nternet E 3lorer2 or o3erating systems such as 6in$o0s or #ac O!/ ha"e a built9in list o( %&s they trust1 This list can usually be con(igure$ to a$$ an$ remo"e %&s2 but that con(iguration is o(ten cumbersome1 +se the (ollo0ing criteria 0hen you select a %& to buy your certi(icates (rom7 Ensure the %& is truste$ by the client so(t0are .o3erating systems2 bro0sers2 an$ mobile 3hones/ that 0ill connect to your E change ser"ers1 %hoose a %& that says it su33orts B+ni(ie$ %ommunications certi(icatesC (or use 0ith E change ser"er1

#a-e sure that the %& su33orts the -in$s o( certi(icates that youEll use1 %onsi$er using sub=ect alternati"e name .!&N/ certi(icates1 Not all %&s su33ort !&N certi(icates2 an$ other %&s $on5t su33ort as many host names as you might nee$1 #a-e sure that the license you buy (or the certi(icates allo0s you to 3ut the certi(icate on the number o( ser"ers that you inten$ to use1 !ome %&s only allo0 you to 3ut a certi(icate on one ser"er1 %om3are certi(icate 3rices bet0een %&s1

Best 3ractice7 +se !&N certi(icates

'e3en$ing on ho0 you con(igure the ser"ice names in your E change $e3loyment2 your E change ser"er may re*uire a certi(icate that can re3resent multi3le $omain names1 &lthough a 0il$car$ certi(icate2 such as one (or F1contoso1com2 can resol"e this 3roblem2 many customers are uncom(ortable 0ith the security im3lications o( maintaining a certi(icate that can be use$ (or any sub$omain1 & more secure alternati"e is to list each o( the re*uire$ $omains as !&Ns in the certi(icate1 By $e(ault2 this a33roach is use$ 0hen certi(icate re*uests are generate$ by E change1

Best 3ractice7 +se the E change certi(icate 0i4ar$ to re*uest certi(icates

There are many ser"ices in E change that use certi(icates1 & common error 0hen re*uesting certi(icates is to ma-e the re*uest 0ithout inclu$ing the correct set o( ser"ice names1 The certi(icate 0i4ar$ in the E change &$ministration %enter 0ill hel3 you inclu$e the correct list o( names in the certi(icate re*uest1 The 0i4ar$ lets you s3eci(y 0hich ser"ices the certi(icate has to 0or- 0ith an$2 base$ on the ser"ices selecte$2 inclu$es the names that you must ha"e in the certi(icate so that it can be use$ 0ith those ser"ices1 )un the certi(icate 0i4ar$ 0hen you5"e $e3loye$ your initial set o( E change 2013 ser"ers an$ $etermine$ 0hich host names to use (or the $i((erent ser"ices (or your $e3loyment1 ,$eally you5ll only ha"e to run the certi(icate 0i4ar$ one time (or each &cti"e 'irectory site 0here you $e3loy E change1 ,nstea$ o( 0orrying about (orgetting a host name in the !&N list o( the certi(icate that you 3urchase2 you can use a certi(ication authority that o((ers2 at no charge2 a grace 3erio$ $uring 0hich you can return a certi(icate an$ re*uest the same ne0 certi(icate 0ith a (e0 a$$itional host names1

Best 3ractice7 +se as (e0 host names as 3ossible

,n a$$ition to using as (e0 certi(icates as 3ossible2 you shoul$ also use as (e0 host names as 3ossible1 This 3ractice can sa"e money1 #any certi(icate 3ro"i$ers charge a (ee base$ on the number o( host names you a$$ to your certi(icate1 The most im3ortant ste3 you can ta-e to re$uce the number o( host names that you must ha"e an$2 there(ore2 the com3le ity o( your certi(icate management2 is not to inclu$e in$i"i$ual ser"er host names in your certi(icate5s sub=ect alternati"e names1

The host names you must inclu$e in your E change certi(icates are the host names use$ by client a33lications to connect to E change1 The (ollo0ing is a list o( ty3ical host names that 0oul$ be re*uire$ (or a com3any name$ %ontoso7 Mail.contoso.com This host name co"ers most connections to E change2 inclu$ing #icroso(t Outloo-2 Outloo- 6eb &332 Outloo- &ny0here2 the O((line &$$ress Boo-2 E change 6eb !er"ices2 :O:32 ,#&:G2 !#T:2 E change %ontrol :anel2 an$ &cti"e!ync1 Autodiscover.contoso.com This host name is use$ by clients that su33ort &uto$isco"er2 inclu$ing #icroso(t O((ice Outloo- 200H an$ later "ersions2 E change &cti"e!ync2 an$ E change 6eb !er"ices clients1 Legacy.contoso.com This host name is re*uire$ in a coe istence scenario 0ith E change !er"er 2003 or E change 200H1 ,( you5ll ha"e clients 0ith mailbo es on either E change !er"er 2003 or E change 200H an$ E change 20132 con(iguring a legacy host name 3re"ents your users (rom