Certificate for Exchange 2013

Similar Messages

• Best practices for buying a digital certificate for Exchange 2013

  Good dayfriends,
  Could you indicateme which are the bestpractices when buying
  a public digital certificatefor use onExchangeServer 2013.
  I'd be interested in knowing your opinion about
  using wildcardor SAN certificates.
  Likewise what are the best recommendations
  to include names and why they should or
  should not include the internal FQDN
  of my servers.
  Currently I have an infrastructure that has two
  MailBox servers,two CAS servers and an EDGE
  2010 server, but I'm planning update it to Exchange 2013.
  I searched what are the best
  practices according to Microsoft but
  have found little information.
  I would appreciate
  if you can post links like
  Microsoft KBs and other technical documents that
  discuss the above mentioned.
  Thanking your
  invaluable support.
  Greetings.

  Hi,
  Personal suggestion, we can use two namespaces for your Exchange 2013:
  Autodiscover.domain.com (Used for autodiscover service)
  Mail.domain.com (used for all Exchange services external and internal URLs)
  Please pointed mail.domain.com and autodiscover.domain.com to your internet facing CAS 2013.
  For more information about Digital Certificates and SSL in Exchange 2013, please refer to the
  Digital Certificates Best Practices part in the following technet article:
  http://technet.microsoft.com/en-us/library/dd351044%28v=exchg.141%29.aspx?lc=1033
  Additionally, here are some other scenarios about certificate planning in Exchange 2013:
  http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
  Regards,
  Winnie Liang
  TechNet Community Support

• Using an SSL certificate for Exchange 2013

  Hi,
  I am not sure if this is the correct forum to post this question in.
  Basically we are migrating from Exchange 2007 to Exchange 2013. Our 2013 machines have both roles installed and do everything. They are configured in a DAG. We have no hardware load balancing/reverse proxy or etc. inside or outside.
  We use an alias of mail.domain.com to connect to OWA/ActiveSync and etc from the Internet.. this alias would point to mail1.domain.com which is the IP of the first Exchange 2013 server.
  If that server were to break, we would point the alias of mail.domain.com to mail2.domain.com which is the IP of the second Exchange 2013 server. Clients would not need any changes before they started connecting to the remaining mail server (eventually)
  and email would continue.
  I know this is not an ideal setup, but for now it is what we have and would keep us running in the event of server failure.
  My question is, when I request a certificate, do I need two of them with mail1.domain.com and mail2.domain.com as their primary and SAN of mail.domain.com OR do I request one certificate with mail.domain.com as the primary host and SAN of mail1.domain.com
  and mail2.domain.com (and install the one certificate on both servers).
  I want to include mail1.domain.com and mail2.domain.com as this can be helpful for testing and/or during migration.
  I hope that makes some sense and appreciate any help people can offer.
  Thanks!

  You do not need server names in the certificate if you are using mail.domain.com only in all of the URL settings.  You will want autodiscover.domain.com, however.
  Consider configuring a different internal and external name for Outlook Anywhere so that Outlook knows whether it is connecting from the Internet or internally.  For internal Outlook Anywhere, use a name that you don't publish to the Internet. 
  For example, use mail.domain.com for everything except internal Outlook Anywhere, use mailinternal.domain.com.  Put mail.domain.com, mailinternal.domain.com and autodiscover.domain.com in the certificate.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Wildcard certificate for Exchange 2013

  Hello!
  I have a testing network with Exchange 2013SP1 and Windows Server 2012R2 domain controller with CA installed.
  For testing purposes I issued a wildcard certificate for my Exch2013 from my local CA using Web server template and installed it on the Exchange server.
  Now when I open, for example, ecp or owa page I'm getting the error stating my certificate is wrong:
  Q1) Is Windows CA capable of issuing a wildcard certificates?
  Q2) If Q1=yes then what can be the cause of the problem?
  Thank you in advance,
  Michael

  Hi Michael,
  Please click Certificate error in IE to view the details about the error. If the error is related to untrusted certificate, please open Internet Explorer, click Settings > Internet Option > Content option > Certificate. In the
  Certificates dialog box, click the Trusted Root Certification Authorities
  tab and check if your certificate is in the list.
  If the certificate is not in the list, we can install the certificate in Trusted root certificate store by the following KB:
  http://support2.microsoft.com/kb/2006728
  If the error certificate is related to mismatch issue, please confirm if this certificate is assigned with IIS service. If not, please enable it with IIS service and restart IIS service to have a try. To double check about the Exchange certificate, we can
  run the following command to check it:
  Get-ExchangeCertificate | FL
  Regards,
  Winnie Liang
  TechNet Community Support

• Configuring CA Certificate for Exchange 2013

  Hello,
  I have two exchange 2013 server running both CAS and MB roles which are also part of a DAG. To secure mail flow in and out of my organization, I am planning to implement reverse proxy in my DMZ. I can easily access my OWA using my DAG name. I wonder if I
  can configure my reverse proxy machine to access the cluster name/ip. I am also confused about configuring the certificate. Which one of my machines should be used to create the CSR?
  Pooriya Aghaalitari

  Hey David,
  I just got to learn about this after I sent the post. So I can create the certificate and import/export to other servers right? Thanks a lot man.
  Regards,
  Pooriya
  Pooriya Aghaalitari
  Yes. In fact, you want to make sure all the certs applied to the CAS are the same ( same thumbprint)
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Self Signed Certificate for Exchange 2013

   
  What's the draw back for using self sign certificate in production enviroment

  Hi,
  Based on my research, here are the disadvantages of self-signed certificate:
  1. The certificates aren’t trusted by other applications/operating systems. This may lead to authentications errors etc.
  Note: To overcome this limitation, some IT staff add the self-signed certificates to the Trusted Roots Certificate Authorities. However, using this workaround may to additional time that needed for management and troubleshooting.
  2. Self-signed certificates life time is usually 1 years. Before the year is ended, the certificate may need to renew/replace.
  3. Self-signed certificates may use low hash and cipher technologies. Due this, the security level that implemented by self-signed certificates may not satisfy the current Security Policy etc. .
  4. No support for advanced PKI (Public Key Infrastructure) functions (e.g. Online checking of the revocation list etc.).
  5. Most of the advanced feathers of the server side applications required to impended a PKI (Public Key Infrastructure). By this, self-signed certificates advantages cant be used.
  For more information, you can refer to the following article:
  http://blogs.microsoft.co.il/yuval14/2011/09/23/the-advantages-and-disadvantages-of-using-self-signed-certificates/
  Thanks,
  Angela Shi
  TechNet Community Support

• Certificate Authority for Exchange 2013

  Dear,
  I will install exchange 2013, whether to install the Certificate Authority role also? 
  If it is necessary, to install this CA, is simply combined with ADDS server, Exchange Server or a separate server?
  Thanks

  Hi,
  As all above says, Exchange 2013 can use Self-signed Exchange certificate which is installed automatically after Exchange 2013 installation. But please note that this self-signed certificate would be not trusted for Exchange using.
  If your Exchange 2013 is not internet-facing, we can use the self-signed certificate in your internal domain environment. If you want to publish your Exchange 2013 to the internet and send/receive external mails, we need to have a valid and trusted certificate
  for Exchange using.
  To get trusted certificate, we can deployed an
  Enterprise root CA which self-signs its own CA certificate and uses Group Policy to publish that certificate to the Trusted Root Certification Authorities store of all servers and workstations in the domain. Or we can directly buy a third-party certificate
  for using.
  About where to install the CA, my personal suggestion is to install ADCS (Active Directory Certificate Services) on a standalone server. You can also install it with your DC. About how to install a
  Root Certification Authority, please refer to:
  http://technet.microsoft.com/en-us/library/cc731183.aspx
  Regards,
  Winnie Liang
  TechNet Community Support

• Revocation checked failed status in Certificate on Exchange 2013

  Hi,
  Got error in certificate that we have get from Godaddy for exchange 2013 which was earlier working fine, but now getting error on status that Revocation checked failed and because of that in outlook user getting certificate error.
  please suggest to fix this issue.

  We've had this error before, and it was solved by configuring the proxy settings.
  > via netsh winhttp set proxy
  > set-exchangeserver  InternetWebProxy setting (don't know if still
  applicable in Exchange2013)
  > iexplorer proxy settings
  ps : You can also
  check the crl location, when you take a look into the properties of the certificate. (crl distribution points)

• Configuring Lync Server 2013 to be a partner Application for Exchange 2013

  Hello Guys,
  I just want to share my experience while configuring Lync server 2013 to be a partner Application for exchange 2013 sever. 
  As mentioned on technet you need to run Configure-EnterprisePartnerApplication.ps1 script that ships with Exchange 2013. 
  But when I tried to run the script as described on the technet article, I found it always fails with " the accepted domain is not valid"
  I have checked my accepted domains many times and i found that there's no issues with my configured accepted domain. 
  So I started to review the script to find the issue and I found that the script was configured  as below 
  $acceptedDomains = Get-AcceptedDomain ;
    if ($acceptedDomains -eq $null)
      WriteError ("There is no accepted domain so user can not be created.")
    $acceptedDomain = $acceptedDomains[0].Name;
    if($UseDomainController -eq $true)
      $user = New-MailUser -Name $username -DomainController $DomainController -ExternalEmailAddress $username@$acceptedDomain;
  set-mailuser -Identity $user.Identity -HiddenFromAddressListsEnabled $true -DomainController $DomainController
    else
      $user = New-MailUser -Name $username -ExternalEmailAddress $username@$acceptedDomain;
  set-mailuser -Identity $user.Identity -HiddenFromAddressListsEnabled $true; 
  which is totally wrong as below: 
  firstly it makes $AcceptedDomain variable to equal the Name of the accepted domain. 
  Not all customers configure the name of the Accepted Domain to be the Domain Name.
  Secondly  it makes $AcceptedDomain variable to equal the name of the first Accepted Domain.
  The first domain may be not the default Accepted Domain. 
  So I have configured the script as below
  $acceptedDomains = Get-AcceptedDomain | ? {$_.Default -eq "True"}  ;
    if ($acceptedDomains -eq $null)
      WriteError ("There is no accepted domain so user can not be created.")
    $acceptedDomain = $acceptedDomains.DomainName;
    if($UseDomainController -eq $true)
      $user = New-MailUser -Name $username -DomainController $DomainController -ExternalEmailAddress $username@$acceptedDomain;
  set-mailuser -Identity $user.Identity -HiddenFromAddressListsEnabled $true -DomainController $DomainController
    else
      $user = New-MailUser -Name $username -ExternalEmailAddress $username@$acceptedDomain;
  set-mailuser -Identity $user.Identity -HiddenFromAddressListsEnabled $true; 
  I hope This help. 
  Thanks 
  Ahmed Fouad

  Hi,
  This is helpful, thanks for sharing.
  Best regards,
  Belinda Ma
  TechNet Community Support

• Is smb 3.0 already supported for exchange 2013

  Hello,
  We are looking to deploy exchange 2013. We have a netapp storage and vmware environment.
  I was wondering if smb 3.0 is already supported for exchange 2013. I read in a blog of 2012 that it wasn't supported at the time. We would like to use it instead of a iscsi lun.

  Hi,
  Based on my knowledge, it is still not supported for Exchange 2013 up to now.
  Here is an article for your reference, please refer to the "Exchange storage requirements" section.
  Exchange 2013 Virtualization
  http://technet.microsoft.com/en-us/library/jj619301.aspx#BKMK_Prereq
  Another related article for your reference.
  Exchange 2013 Storage Configuration Options
  http://technet.microsoft.com/en-us/library/ee832792(v=exchg.150).aspx
  Best regards,
  Belinda
  Belinda Ma
  TechNet Community Support

• It is there an alternative to the Test-SystemHealth powershell cmdlet for Exchange 2013?

  Hello
  The Powershell cmdlet Test-SystemHealth, that was available on Exchange 2010, is no longer available on Exchange 2013.
  Test-SystemHealth cmdlet gathered data about the Microsoft Exchange system and analyzed the data according to best practices.
  Are there any alternatives to this for Exchange 2013?
  Thanks!

  Haven't really played with it too much, but check out Get-ServerHealth
  http://technet.microsoft.com/en-us/library/jj218703(v=exchg.150).aspx
  Looks to have replaced Test-SystemHealth.

• SP1 for Exchange 2013 install fails with ECP virtual directory issues and now transport service won't start and mail is unavailable

  SP1 for Exchange 2013 install failed on me with ECP virtual directory issues:
  Error:
  The following error was generated when "$error.Clear();
            $BEVdirIdentity = $RoleNetBIOSName + "\ecp (name)";
            $be = get-EcpVirtualDirectory -ShowMailboxVirtualDirectories -Identity $BEVdirIdentity -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
            if ($be -eq $null)
            new-EcpVirtualDirectory -Role Mailbox -WebSiteName "name" -DomainController $RoleDomainController;
            set-EcpVirtualdirectory -Identity $BEVdirIdentity -FormsAuthentication:$false -WindowsAuthentication:$true;
            set-EcpVirtualdirectory -Identity $BEVdirIdentity -InternalUrl $null -ExternalUrl $null;
            . "$RoleInstallPath\Scripts\Update-AppPoolManagedFrameworkVersion.ps1" -AppPoolName:"MSExchangeECPAppPool" -Version:"v4.0";
          " was run: "The virtual directory 'ecp' already exists under 'server/name'.
  Parameter name: VirtualDirectoryName".
  Error:
  The following error was generated when "$error.Clear();
            $BEVdirIdentity = $RoleNetBIOSName + "\ECP (name)";
            $be = get-EcpVirtualDirectory -ShowMailboxVirtualDirectories -Identity $BEVdirIdentity -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
            if ($be -eq $null)
            new-EcpVirtualDirectory -Role Mailbox -WebSiteName "name" -DomainController $RoleDomainController;
            set-EcpVirtualdirectory -Identity $BEVdirIdentity -FormsAuthentication:$false -WindowsAuthentication:$true;
            set-EcpVirtualdirectory -Identity $BEVdirIdentity -InternalUrl $null -ExternalUrl $null;
            . "$RoleInstallPath\Scripts\Update-AppPoolManagedFrameworkVersion.ps1" -AppPoolName:"MSExchangeECPAppPool" -Version:"v4.0";
          " was run: "The operation couldn't be performed because object 'server\ECP (name)' couldn't be found on 'DC0xx.domain.com'.".
  Error:
  The following error was generated when "$error.Clear();
            $BEVdirIdentity = $RoleNetBIOSName + "\ECP (name)";
            $be = get-EcpVirtualDirectory -ShowMailboxVirtualDirectories -Identity $BEVdirIdentity -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
            if ($be -eq $null)
            new-EcpVirtualDirectory -Role Mailbox -WebSiteName "name" -DomainController $RoleDomainController;
            set-EcpVirtualdirectory -Identity $BEVdirIdentity -FormsAuthentication:$false -WindowsAuthentication:$true;
            set-EcpVirtualdirectory -Identity $BEVdirIdentity -InternalUrl $null -ExternalUrl $null;
            . "$RoleInstallPath\Scripts\Update-AppPoolManagedFrameworkVersion.ps1" -AppPoolName:"MSExchangeECPAppPool" -Version:"v4.0";
          " was run: "The operation couldn't be performed because object 'server\ECP (name)' couldn't be found on 'DC0xx.domain.com'.".
  !! And now transport service won't start and mail is unavailable !!
  Any help would be appreciated.
  I have removed the ecp site from default site and attempting to rerun SP1 now. I do not have high hopes. :(

  Hi,
  Thanks for your response.
  From the error description, you need to manually remove the ECP with IIS manager in both the Default Web Site and the Exchange Back End firstly. And then continue the upgrade to check the result.
  Hope this can be helpful to you.
  Best regards,
  Amy Wang
  TechNet Community Support

• Best Practice Analyzer for Exchange 2013

  Greetings,
  I have upgraded the messaging infrastructure from Exchange 2007 to Exchange 2013.
  I want to test the Health of the system through ExBPA for Exchange 2013.
  But i don't find any setup for Exchange 2013 like it was in 2010.
  I went through an article by Office365 community, according to which for In-premises Exchange also we need to have office 365 account (can use trial account also) to get the downloader file for ExBPA 2013.
  http://community.office365.com/en-us/w/deploy/office-365-best-practices-analyzer-for-exchange-server-2013.aspx
  But to run the setup the servers needs to be connected to internet.
  And, i don't want to expose my environment to internet in any condition.
  Somebody, please suggest me if there is any setup available so that i can install directly without exposing to internet.
  Thanks in advance.
  Best Regards,
  K2

  Welcome to Exchange 2013.
  Exchange Server 2013 doesn't come with ExBPA for health check. This might help
  http://exchangeserverpro.com/powershell-script-health-check-report-exchange-2010/
  Apart from that you can run these commands too
  Get-ServerHealth -Identity Exchange2013ServerName
  Test-ServiceHealth
  Cheers,
  Gulab Prasad
  Technology Consultant
  Blog:
  http://www.exchangeranger.com    Twitter:
    LinkedIn:
     Check out CodeTwo’s tools for Exchange admins
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• EXMON "exchange server user monitor" for Exchange 2013?

  Hello,
  it Looks like EXMON is not supported for Exchange 2013. Is this correct or can i use it with Server 2012 R2 and Exchange 2013 (CU6++)  ?
  Is there any alternative to check high log growth rate to see which user is responsable for this?
  Thanks for Feedback.
  best,
  Martin

  Hi Martin,
  Yes, ExMon is not supported for exchange 2013.
  Except the suggestion above, here is an exclusive application for you reference, it could retrieve statistics for all or selected mailboxes in a specified database and server, it may give you some help:
  Exchange Server Mailbox Statistics Tool - v1.6.2
  The tool retrieves mailbox statistics which includes Folder Count, Total Items, Associated Items, Deleted Items, Total Items Size, Deleted Items Size, Oldest Item Date, Newest Item Date, Items Age, Mailbox Age and Quota details. It also includes an additional
  option named "Archive Statistics Planner" which will let you search mailboxes and provide statistics report with specific dates. 
  Best regards,
  Niko Cheng
  TechNet Community Support

• How to create a SHA256 SAN Certificate for Exchange

  Dear.
  When using the command as described below to create a SAN Certificate for Exchange, only SHA1 certificate requests are created. How can I create the same request but for SHA256?
  It seems that it's not possible to do this through the New-exchangecertificate.
  Do you know the alternative command when using certreq for the following Exchange command:
  New-ExchangeCertificate -PrivateKeyExportable:$true -FriendlyName 'mail.domain.com' -SubjectName 'C=NL,S="aaaa",L="bbbb",O="cccc",OU="dddd",CN=mail.domain.com' -DomainName @('mail.domain.com','exchange.wps.domain.com','webmail.domain.com','ews.domain.com','as.domain.com','oa.domain.com','oab.domain.com','ps.wps.domain.com','autodiscover.domain.com')
  -RequestFile '\\10.0.6.151\c$\temp\certificate_Request.req' -GenerateRequest:$true -KeySize '2048' 
  Thanks for the feedback.
  Regards.
  Peter
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Peter,
  There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request
  as follows:
  1. Open MMC.exe. Click File >
  Add/Remove snap in…
  2. In the Available snap-ins tab, select Certificates >
  Add > Computer account > Local computer >
  Finish.
  3. Expand Certificates (Local Computer) > Personal > Certificates.
  4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.
  5. click Next > Proceed without enrollment policy > Next > Next.
  6. In Certificate Information page, click Details > Properties.
  7. Then you can fill in the needed information for your request.
  8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to
  sha256.
  9. Click OK > Next. Fill in File Name and select the request location.
  10. Finish it and send this request to the certificate authority.
  Regards,
  Winnie Liang
  TechNet Community Support