Ssl
Content
Home Home Online Online 2013 2013 2010 2010 Other Versions Versions Library Library Forums Forums Gallery Gallery EHLO Blog
TechNet Library Library Echange Echange !er"er 2013 #ailbo an$ %lient &ccess !er"ers %lient &ccess !er"er
Digital Certificates and SSL %reate a 'igital %erti(icat %erti(icate e )e*uest Echange 2013 %erti(icate #anagement +,
'igital %erti(icates an$ !!L Other Versions !ecure !oc-ets Layer .!!L/ is a metho$ (or securing communications beteen a client an$ a ser"er For Echange !er"er 2013 !!L is use$ to hel secure communications communications beteen the ser"er an$ clients %lients inclu$e mobile hones comuters insi$e an organi4a organi4ation5s tion5s netor- an$ comuters outsi$e an organi4ation5s netor- By $e(ault hen you install Echange 2013 client communications are encryte$ using !!L hen you use Outloo- 6eb & Echange &cti"e!ync an$ Outloo- &nyhere !!L re*uires you to use $igital certi(icates This toic summari4es the $i((erent tyes o( $igital certi(icates certi(icates an$ in(ormation about ho to con(igure Echange 2013 to use these tyes o( $igital certi(icates Contents O"er"ie o( $igital certi(icates 'igital certi(icates an$ roying 'igital certi(icates best ractices
O"er"ie o( $igital certi(icates 'igital certi(icates are electronic electronic (iles that or- li-e an online assor$ to "eri(y the i$entity o( a user or a comuter They5re use$ to create the !!L encryte$ channel that5s use$ (or client communications & certi(icate is a $igital statement that5s issue$ by a certi(ication authority .%&/ that "ouches (or the i$entity o( the certi(icate hol$er an$ enables the arties to communicate in a secure manner using encrytion 'igital certi(icates $o the (olloing7 They authenticate authenticate that their their hol$ers8eole hol$ers8eole ebsites ebsites an$ e"en e"en netor- resources resources such such as routers8are routers8ar e truly ho or hat they claim to be They rotect $ata $ata that5s echange$ echange$ online (rom the(t or tamering tamering 'igital certi(icates can be issue$ by a truste$ thir$9arty %& or a 6in$os ublic -ey in(rastructure in(rastru cture .:;,/ using %erti(icate !er"ices or they can be sel(9signe$ Each tye o( certi(icate has a$"antages an$ $isa$"antages Each tye o( $igital certi(icate is tamer9 roo( an$ can5t be (orge$ %erti(icates can be issue$ (or se"eral uses These uses inclu$e eb user authentication eb ser"er authentication !ecure<#ultiurose !ecure<#ultiurose ,nternet #ail Etensions .!<#,#E/ ,nternet :rotocol security .,:sec/ Transort Layer !ecurity .TL!/ an$ co$e signing
& certi(icate contains a ublic -ey an$ attaches that ublic -ey to the i$entity o( a erson comuter or ser"ice that hol$s the correson$ing ri"ate -ey The ublic an$ ri"ate -eys are use$ by the client an$ the ser"er to encryt the $ata be(ore it5s transmitte$ For 6in$os9base$ 6in$os9ba se$ users comuters an$ ser"ices trust in a %& is establishe$ hen there5s a coy o( the root certi(icate in the truste$ root certi(icate store an$ the certi(icate contains contains a "ali$ certi(ication ath For the certi(icate to be "ali$ the certi(icate must not ha"e been re"o-e$ an$ the "ali$ity erio$ must not ha"e eire$
Tyes o( certi(icates certi(icates There are three rimary rimary tyes o( $igital $igital certi(icates7 certi(icates7 sel(9signe$ sel(9signe$ certi(icates certi(icates 6in$os 6in$os :;,9 generate$ certi(icates an$ thir$9arty certi(icates
!el(9signe$ certi(icates 6hen you install Echange 2013 a sel(9signe$ certi(icate certi(icate is automatically con(igure$ on the #ailbo ser"ers & sel(9signe$ certi(icate certi(icate is signe$ by the alication that create$ it The sub=ect an$ the name o( the certi(icate match The issuer an$ the sub=ect are $e(ine$ on the certi(icate This sel(9signe$ sel(9signe$ certi(icate is use$ to encryt communications communications beteen the %lient &ccess ser"er an$ the #ailbo ser"er The %lient &ccess ser"er trusts the sel(9signe$ certi(icate on the #ailbo ser"er automatically so no thir$9arty certi(icate is nee$e$ on the #ailbo ser"er 6hen you install Echange 2013 a sel(9signe$ certi(icate certi(icate is also create$ on the &ccess ser"er This sel(9signe$ certi(icate ill some client to use !!L %lient (or their communications Echange &cti"e!ync Echange an$allo Outloo6eb &rotocols can establish an !!L connection by using a sel(9signe$ certi(icate Outloo- &nyhere on5t or- ith a sel(9 signe$ certi(icate on the %lient &ccess ser"er !el(9signe$ certi(icates must be manually coie$ to the truste$ root certi(icate store on the client comuter or mobile $e"ice 6hen a client connects to a ser"er o"er !!L an$ the ser"er resents a sel(9signe$ certi(icate the client ill be romte$ to "eri(y that the certi(icate as issue$ by a truste$ authority The client must elicitly trust the issuing authority ,( the client con(irms the trust then !!L communications communication s can continue Note:
By default, the digital certificate installed on the Mailbox server or o r servers is a self-signed certificate. You don’t need to replace the self-signed certificate on the Mailbox servers in your organization with a trusted third-party certificate. The lient !ccess server auto"atically trusts the self-signed certificate on the Mailbox server and no other configuration is needed for certificates on the Mailbox server. Fre*uently small organi4ations $eci$e not to use a thir$9arty certi(icate or not to install Fre*uently their on :;, to issue their on certi(icates They might ma-e this $ecision because those solutions are too eensi"e because their a$ministrators lac- the eerience an$ -nole$ge to create their on certi(icate hierarchy or (or both reasons The cost is minimal an$ the setu is simle hen you use sel(9signe$ certi(icates Hoe"er it5s much more $i((icult to establish an in(rastructure (or certi(icate li(e9cycle management reneal trust management an$ re"ocation hen you use sel(9signe$ certi(icates
6in$os ublic -ey in(rastructure certi(icates
The secon$ tye tye o( certi(icate certi(icate is a 6in$os 6in$os :;,9generate$ :;,9generate$ certi(icate certi(icate & :;, is a system o( $igital certi(icates certi(ication certi(ication authorities an$ registration authorities .)&s/ that "eri(y an$ authenticate the "ali$ity o( each arty that5s in"ol"e$ in an electronic transaction by using ublic -ey crytograhy 6hen you imlement a :;, in an organi4ati organi4ation on that uses &cti"e 'irectory you ro"i$e an in(rastruc in(rastructure ture (or certi(icate li(e9cycle li(e9cycle management reneal trust management an$ re"ocation Hoe"er there is some a$$itional cost in"ol"e$ in $eloying ser"ers an$ in(rastructure to create an$ manage 6in$os :;,9generate$ certi(icates %erti(icate !er"ices !er"ices are re*uire$ to $eloy a 6in$os :;, an$ can be installe$ through Add Or Remove Programs in Programs in %ontrol :anel >ou can install %erti(icate !er"ices on any ser"er in the $omain ,( you obtain certi(icates (rom a $omain9=oine$ 6in$os %& you can use the %& to re*uest or sign certi(icates to issue to your on ser"ers or comuters on your netor- This enables you to use a :;, that resembles a thir$9arty certi(icate "en$or but is less eensi"e These :;, certi(icates can5t be $eloye$ ublicly as other tyes o( certi(icates can be Hoe"er hen a :;, %& signs the re*uestor5s certi(icate by using the ri"ate -ey the re*uestor is "eri(ie$ The ublic -ey o( this %& is art o( the certi(icate & ser"er that has this certi(icate certi(icate in the truste$ root certi(icate store can use that ublic -ey to $ecryt the re*uestor5s certi(icate an$ authenticate the re*uestor The stes (or $eloying a :;,9generate :;,9generate$ $ certi(icate certi(icate resemble those re*uire$ re*uire$ (or $eloying a sel(9signe$ certi(icate certi(icate >ou must still install a coy o( the truste$ root certi(icate (rom the :;, to the truste$ root certi(icate store o( the comuters or mobile $e"ices that you ant to be able to establish an !!L connection to #icroso(t Echange & 6in$os :;, enables organi4ations to ublish their on certi(icates %lients can re*uest an$ recei"e certi(icates (rom a 6in$os :;, on the internal netor- The 6in$os :;, can rene or re"o-e certi(icates certi(icates
Truste$ thir$9arty thir$9arty certi(icates Thir$9arty or commercial certi(icates certi(icates are certi(icates certi(icates that that are generate$ generate$ by a thir$9arty thir$9arty or commercial %& an$ then urchase$ (or you to use on your netor- ser"ers One roblem ith sel(9signe$ an$ :;,9base$ certi(icates is that because the certi(icate is not automatically automatical ly truste$ by the client comuter or mobile $e"ice you must ma-e sure that you imort the certi(icate into the truste$ root certi(icate store on client comuters an$ $e"ices Thir$9arty or commercial certi(icates certi(icates $o not ha"e this this roblem #ost #ost commercial commercial %& certi(icates are alrea$y truste$ because the certi(icate alrea$y resi$es in the truste$ root certi(icate store Because Because the issuer is truste$ the certi(icate is also truste$ +sing thir$9 arty certi(icates greatly simli(ies $eloyment For larger organi4ations or organi4ations that must ublicly $eloy certi(icates the best solution is to use a thir$9arty or commercial commercial certi(icate e"en though there is a cost associate$ ith the certi(icate %ommercial %ommercial certi(icates may not be the best solution (or small an$ me$ium9si4e organi4ations organi4ations an$ you might $eci$e to use one o( the other certi(icate otions that are a"ailable )eturn to to
%hoosing a certi(icate tye 6hen you choose the tye o( certi(icate to install there are se"eral se"eral things to consi$er & certi(icate must be signe$ to be "ali$ ,t can be sel(9signe$ or signe$ by a %& & sel(9signe$ certi(icate limitations Forcerti(icat eamle not all The mobile $e"ices let acerti(icates user installon a $igital certi(icate has in the truste$ root certi(icate e store ability to install a mobile $e"ice $een$s on the mobile $e"ice manu(acturer manu(acturer an$ the mobile ser"ice ro"i$er !ome manu(acturers manu(actur ers an$ mobile ser"ice ro"i$ers $isable access access to the truste$ root certi(icat certi(icate e
store ,n this case neither a sel(9signe$ certi(icate certi(icate nor a certi(icate (rom a 6in$os :;, %& can be installe$ on the mobile $e"ice
'e(ault Echange certi(icates By $e(ault Echange installs a sel(9signe$ certi(icate on both the %lient &ccess ser"er an$ the #ailbo ser"er so that all netor- communication is encryte$ Encryting all netorcommunication re*uires that e"ery Echange ser"er ha"e an ?@0A certi(icate that it can use >ou shoul$ relace this sel(9signe$ certi(icate certi(icate on the %lient &ccess ser"er ith one that is automatically truste$ by your clients !el(9signe$C means that a certi(icate as create$ an$ signe$ only by the Echange ser"er itsel( Because it asn5t create$ an$ signe$ by a generally truste$ %& the $e(ault sel(9signe sel(9signe$ $ certi(icate on5t be truste$ by any so(tare ecet other Echange ser"ers in the same organi4ation The $e(ault certi(icate is enable$ (or all Echange ser"ices ,t has a sub=ect organi4ation alternati"e alternati" e name .!&N/ that correson$s to the ser"er name o( the Echange ser"er that it5s installe$ on ,t also has a list o( !&Ns that inclu$e both the ser"er name an$ the (ully *uali(ie$ $omain name .FD'N/ o( the ser"er <hough other Echange ser"ers in your Echange organi4ation trust this certi(ica certi(icate te automatically automatical ly clients li-e eb brosers Outloo- clients mobile hones an$ other email clients in a$$ition to eternal email ser"ers on5t automatically automatically trust it There(ore consi$er relacing this certi(icate ith a truste$ thir$9arty certi(icate on your Echange %lient &ccess ser"ers ,( you ha"e your on internal :;, an$ all your clients trust that entity you can also use certi(icates that you issue yoursel(
%erti(icate re*uirements by ser"ice %erti(icates are use$ (or se"eral things in Echange #ost customers also use certi(icates on more than one Echange ser"er ,n general the (eer certi(icates you ha"e the easier certi(icate management becomes
,,! &ll the (olloing Echange ser"ices use the same certi(icate on a gi"en Echange %lient &ccess ser"er7 Outloo- 6eb & Echange &$ministration %enter .E&%/ Echange 6eb !er"ices Echange &cti"e!ync Outloo- &nyhere &uto$isco"er
Outloo- &$$ress Boo- $istribution Because only a single certi(icate can be associate$ ith a ebsite an$ because all these ser"ices are o((ere$ un$er a single ebsite by $e(ault all the names that clients o( these ser"ices use must be in the certi(icate .or (all un$er a il$car$ name in the certi(icate/
:O:<,#&: %erti(icates that are use$ (or :O: or ,#&: can be seci(ie$ searately searately (rom the certi(icate that5s use$ (or ,,! Hoe"er to simli(y a$ministration e recommen$ that you inclu$e the :O: or ,#&: ser"ice name in your ,,! certi(icate an$ use a single certi(icate (or all these ser"ices
!#T: & searate certi(icate can be use$ (or each recei"e connector that you con(igure The certi(icate must inclu$e inclu$e the name that !#T: clients .or other !#T: ser"ers/ use to reach that connector To simli(y certi(icate management consi$er inclu$ing all names (or hich you ha"e to suort TL! tra((ic in a single certi(icate
'igital certi(icates an$ roying :roying is the metho$ by hich one ser"er sen$s client connections to another ser"er ,n the case o( Echange 2013 this haens hen the %lient &ccess ser"er roies an incoming client re*uest to the #ailbo ser"er that contains the acti"e coy o( the clients mailbo 6hen %lient &ccess ser"ers ser"ers roy re*uests !!L is use$ (or encrytion but not (or authentication authenticati on The sel(9signe sel(9signe$ $ certi(icate on the #ailbo ser"er encryts the tra((ic beteen the %lient &ccess ser"er an$ the #ailbo ser"er
)e"erse roies an$ certi(icates #any Echange $eloyments use re"erse roies to ublish Echange ser"ices on the ,nternet )e"erse roies can be con(igure$ to terminate !!L encrytion eamine the tra((ic in the clear on the ser"er an$ then oen a ne !!L encrytion channel (rom the re"erse roy ser"ers to the Echange ser"ers behin$ them This is -non as !!L bri$ging ¬her ay to con(igure the re"erse roy ser"ers is to let the !!L connections ass straight straight through to the Echange ser"ers behin$ the re"erse roy ser"ers 6ith either $eloyment mo$el the clients on the ,nternet connect to the re"erse roy ser"er using using a host name (or Echange access such as mailcontosocom Then the re"erse roy ser"er connects to Echange using a $i((erent host name such as the machine name o( the Echange %lient &ccess ser"er ser"er >ou $on5t ha"e to inclu$e the machine name o( the Echange %lient &ccess &ccess ser"er on your certi(icate because most common re"erse roy ser"ers are able to match the original host name that5s use$ by the client to the internal host name o( the Echange %lient &ccess ser"er
!!L an$ slit 'N!
!lit 'N! is a technology that allos you to con(igure $i((erent $i((erent ,: a$$resses (or the same host name $een$ing on here the originating 'N! re*uest came (rom This is also -non
as slit9hori4on 'N! slit9"ie 'N! or slit9brain 'N! !lit 'N! can hel you re$uce the number o( host names that you must manage (or Echange by alloing your clients to connect to Echange through the same host name hether they5re connecting (rom the ,nternet or (rom the intranet !lit 'N! allos re*uests that originate (rom the intranet to recei"e a $i((erent ,: a$$ress than re*uests that originate (rom the ,nternet !lit 'N! is usually unnecessary in a small Echange $eloyment because users can access the same 'N! en$oint hether they5re coming (rom the intranet or the ,nternet Hoe"er ith larger $eloyments $eloyments this con(iguration ill result in too high o( a loa$ on your outgoing ,nternet roy ser"er an$ your re"erse roy ser"er For larger $eloyments $eloyments con(igure slit 'N! so that (or eamle eternal users access mailcontosocom mailcontosocom an$ internal users access internalcontosocom internalc ontosocom +sing slit 'N! (or this con(iguration ensures that your users on5t ha"e to remember to use $i((erent host names $een$ing on here they5re locate$
)emote 6in$os :oer!hell ;erberos authentication authentication an$ ;erberos encrytion are use$ (or remote 6in$os :oer!hell access (rom both the Echange &$ministration &$ministration %enter .E&%/ an$ the Echange #anagement !hell There(ore There(ore you on5t ha"e to con(igure your !!L certi(icates (or use ith remote 6in$os :oer!hell )eturn to to
'igital certi(icates best ractices <hough the con(iguration o( your organi4ation5s $igital certi(icates certi(icates ill "ary base$ on its seci(ic nee$s in(ormation about best ractices has been inclu$e$ to hel you choose the $igital certi(icate con(iguration con(iguration that5s right (or you
Best ractice7 +se a truste$ thir$9arty certi(icate To re"ent clients clients (rom recei"ing recei"ing errors errors regar$ing regar$ing untruste$ certi(icates certi(icates the certi(icate certi(icate that5s use$ by your Echange ser"er must be issue$ by someone that the client trusts <hough most clients can be con(igure$ to trust any certi(icat certi(icate e or certi(icate issuer issuer it5s simler to use a truste$ thir$9arty certi(icate certi(icate on your Echange ser"er This is because most clients alrea$y trust their root certi(icates There are se"eral thir$9arty thir$9arty certi(icate issuers that o((er certi(icates con(igure$ seci(ically seci(ically (or Echange >ou can use the E&% to generate certi(icate re*uests that or- ith most certi(icate issuers
Ho to select a certi(ication authority
& certi(ication authority .%&/ is a comany that issues an$ ensures the "ali$ity o( certi(icates %lient so(tare .(or eamle brosers such as #icroso(t ,nternet Elorer or certi(icates oerating systems such as 6in$os or #ac O!/ ha"e a built9in list o( %&s they trust This list can usually be con(igure$ to a$$ an$ remo"e %&s but that con(iguration is o(ten cumbersome +se the (olloing criteria hen you select a %& to buy your certi(icates (rom7 Ensure the %& is truste$ by the client so(tare .oerating systems brosers brosers an$ mobile hones/ that ill connect to your Echange ser"ers %hoose a %& that says it suorts +ni(ie$ %ommunications %ommunications certi(icatesC (or use ith Echange ser"er
#a-e sure that the %& suorts the -in$s o( certi(ica certi(icates tes that youll use %onsi$er using sub=ect alternati"e alternati"e name .!&N/ certi(icate certi(icates s Not all %&s suort !&N certi(icates an$ other %&s $on5t suort as many host names as you might nee$ #a-e sure that the license you buy (or the certi(icate certi(icates s allos you to ut the certi(icate on the number o( ser"ers that you inten$ to use !ome %&s only allo you to ut a certi(icate on one ser"er %omare certi(icate rices beteen %&s
Best ractice7 +se !&N certi(icates 'een$ing on ho you con(igure the ser"ice names in your Echange $eloyment your Echange ser"er may re*uire a certi(icate that can reresent multile $omain names <hough a il$car$ certi(icate such as one (or contosocom can resol"e this roblem many customers are uncom(ortable ith the security imlications o( maintaining a certi(icate that can be use$ (or any sub$omain & more secure alternati"e is to list each o( the re*uire$ $omains as !&Ns in the certi(icate By $e(ault this aroach is use$ hen certi(icate re*uests are generate$ by Echange
Best ractice7 +se the Echange certi(icate i4ar$ to re*uest certi(icates There are many ser"ices ser"ices in Echange Echange that use use certi(icates certi(icates & common error hen re*uesting re*uesting certi(icates is to ma-e the re*uest ithout inclu$ing the correct set o( ser"ice names The certi(icate i4ar$ i4ar$ in the Echange &$ministration %enter ill hel you inclu$e the correct list o( names in the certi(icate re*uest The i4ar$ lets you seci(y hich ser"ices the certi(icate has to or- ith an$ base$ on the ser"ices selecte$ inclu$es the names that you must ha"e in the certi(icate so that it can be use$ ith those ser"ices )un the certi(icate i4ar$ i4ar$ hen your initial set Echange 2013 ser"ers an$you5ll $etermine$ hich host namesyou5"e to use$eloye$ (or the $i((erent ser"ic ser"ices eso((or your $eloyment ,$eally only ha"e to run the certi(icate i4ar$ one time (or each &cti"e 'irectory site here you $eloy Echange ,nstea$ o( orrying about (orgetting a host name in the !&N list o( the certi(icate that you urchase you can use a certi(icat certi(ication ion authority that o((ers at no charge a grace erio$ $uring hich you can return a certi(icate an$ re*uest the same ne certi(icate ith a (e a$$itional host names
Best ractice7 +se as (e host names as ossible ,n a$$ition to using as (e certi(ica certi(icates tes as ossible you shoul$ also use as (e host names as ossible This ractice can sa"e money #any certi(icate ro"i$ers charge a (ee base$ on the number o( host names you a$$ to your certi(icate The most imortant imortant ste you can can ta-e to re$uce re$uce the number number o( host names names that you must must ha"e an$ there(ore the comleity o( your certi(icate management management is not to inclu$e in$i"i$ual ser"er host names in your certi(icate5s sub=ect alternati"e names
The host names names you must inclu$e inclu$e in your Echange Echange certi(icates certi(icates are are the host names names use$ by by client alications alications to connect to Echange The (olloing is a list o( tyical host names that oul$ be re*uire$ (or a comany name$ %ontoso7 Mail.contoso.com This host Mail.contoso.com host name co"ers most most connections connections to Echange inclu$ing #icroso(t Outloo- Outloo- 6eb & Outloo- &nyhere the O((line &$$ress Boo- Echange 6eb !er"ices :O:3 ,#&: !#T: Echange %ontrol :anel an$ &cti"e!ync Autodiscover.contoso.com This host Autodiscover.contoso.com host name is use$ use$ by clients that suort suort &uto$isco"er &uto$isco"er inclu$ing #icroso(t O((ice Outloo- 200 an$ later "ersions Echange Echange &cti"e!ync an$ Echange 6eb !er"ices clients Legacy.contoso.com This host name is re*uire$ in a coeistence scenario ith Echange Legacy.contoso.com !er"er 2003 or Echange 200 ,( you5ll ha"e clients ith mailboes on either Echange !er"er 2003 or Echange 200 an$ Echange 2013 con(iguring a legacy host name re"ents your users (rom
