Shulou(Shulou.com)06/03 Report--

In the production environment, if the conditions permit, you can apply for a public network certificate. If the conditions do not allow, you can set up a certificate server within the enterprise to deploy the CA server to provide certificates for Exchange and users. Pay attention to the validity time of the certificate.

1. Certificate prompt

After Exchange is installed, SSL function is enabled by default to access OWA or EAC through port 443.If no certificate is deployed, the following prompt appears: there is a problem with the certificate security of this website, as shown in the figure

After selecting the option to continue browsing this site (not recommended), you can continue to visit OWA or EAC, but "Certificate error" is displayed in the address bar, as shown in the figure

2. EAC certificate application

The first step is to log in to EAC as an Exchange administrator. In the Exchange Management Center window, select "Server"-> "Certificate" option, as shown in the figure:

The second step is to select the first server in the "Select Server" list, click the "+" button on the toolbar to launch the "New Exchange Certificate Wizard". In the environment, I have deployed the certificate server in advance, and here we choose "create a request to obtain a certificate from a certificate authority"

Third, click the "next" button to set the certificate name, as shown in the figure

Fourth, click the "next" button to set whether or not to use wildcard certificates. Here we choose not to use wildcard certificates.

Step 5, click the "next" button to select the target server for the certificate store. No Exchange server is selected by default.

Step 6, click the Browse button, which displays all available Exchange servers, and select one of them

Step 7, click the OK button to return to the window that opened in the previous step, as shown in the figure

Step 8, click the "next" button to set the information to be included in the certificate. By default, the internal domain has been automatically adapted, the external domain has not been specified, and it is displayed as "unspecified" which requires the Exchange administrator to match the relevant information of the external domain according to the actual situation. In the test, the external domain uses mail.mc.com.

Take "OWA" as an example, double-click the setting, type an external domain name in the text box, and in this case use the domain name "mail.mc.com"

Click the OK button to return to the specify domains to be included in the certificate window, and use the same operation to process other information. The parameters are set as follows

Step 7, click the next button, which displays the fields included in the current certificate request. Note: if Exchange contains multiple Exchange servers, you need to add each server

Click the "+" button on the toolbar to display the New Domain web page dialog box shown in the figure, and set the name of the second Mailbox server in the domain name settings.

Click the OK button to close the New Domain dialog box and return to the included domain list window. The second server is already displayed in the list.

Add all the target fields in the same way, as shown in the figure

Step 8, click the "next" button to display the window shown in the figure, where you can set the details required for the application request.

Step 9, click the next button to set the location where the certificate request is stored. Note: the storage location requires a UNC path and cannot be stored in the local server environment.

Step 10, click the "finish" button to complete the certificate request. After success, you can view the files through the shared folder path.

Open the certificate request file through notepad, as follows

Step 11, log in to EAC as an Exchange administrator. In the "Exchange Management Center" window, select "Server"-> "Certificate" option. The new certificate request appears in the certificate list. Note that the status of the certificate is "shelved request".

3. IE applies for certificate

The first step is to open the IE browser, type http:// Certificate Server / certsrv "in the address bar, enter the domain username and password, and open the certificate application page, as shown in the figure

Second, click the "apply for a Certificate" link to open the "apply for a Certificate" page as shown in the figure.

Step 3, click the Advanced Certificate Application link to open the Advanced Certificate Application page as shown in the figure. Select the application method in it

Step 4, click "submit a certificate application using a base64-encoded CMC or PKCS#10 file, or renew a certificate application link using a base64-encoded PKCS#7 file, and open the" submit a certificate application or renewal request "page as shown in the figure. Use notepad to open the certificate application file made in the previous step, copy its contents into the saved request text box, and set the Certificate template to Web Server.

Step 5, click the submit button to open the Certificate issued page shown in the figure, where you select the certificate code as DER Encoding.

Step 6, click the "download Certificate" link, open the dialog box shown in the figure, set the location of the certificate, click the "Save" button, complete the certificate application, and after the certificate is saved successfully, match the certificate in the same folder as the certificate request file.

4. Deploy the certificate for the first mail server

First deploy the certificate for MCEX01

The first step is to log in to EAC as an Exchange administrator. In the Exchange Central Administration window, select the Server-> Certificate option, and select the server for MCEX01 in the category.

Second, click the finish link and type the full path and file name of the shared folder where the certificate file is located in the text box. As shown in the picture

Third, click the "OK" button, import the certificate file and configure the related services. The certificate status is updated to "valid". The current certificate has been bound to "IMAP" and "POP" services by default.

Step 4, after selecting the target certificate, click the Edit button on the toolbar to open the certificate properties window, which displays the General tab by default. Switch to the Services tab, as shown in the figure, and the "IMAP" and "POP" services are enabled by default.

Step 5, select the services to be added: SMTP and IIS, as shown in the figure

Step 6, click the Save button to display the warning dialog box shown in the figure, which prompts you to overwrite the existing certificate

Step 7, click the Yes button to return to the Certificate window, which shows that the current certificate has been bound to the set server, as shown in the figure

5. Deploy the certificate for the second mail server

Deploy the certificate for the second mail server MCex02

The first step is to select the certificate to deploy for the first server and select "…" Button, click the Export Exchange Certificate option in the pop-up menu, as shown in the figure

Second, after the command is executed, the Export Exchange Certificate window is displayed. Set the destination folder and password of the exported certificate file, as shown in the figure.

Step 3, click the OK button to export the certificate to the target location, as shown in the figure

Step 4, open the Exchange Management Center window, select the Server-> Certificate option, and select the second server in the Select Server list. The default state is shown in the figure:

Step 5, click the toolbar "…" Button, click the Import Exchange Certificate option in the pop-up menu, as shown in the figure

Step 6, after the command is executed, the "Import Exchange Certificate" window is displayed as shown in the figure, in which you enter the shared folder path where the certificate is located and the certificate name, and then enter the set password (certificate export password)

Step 7, click the next button to display the specify the server to which you want to apply this certificate dialog box as shown in the figure, where the administrator is required to manually configure the certificate for the mail server.

Step 8, click the "+" button on the toolbar to display the window shown in the figure. Select the server that needs to configure the certificate from the list of servers, click the add button, and select the target server.

Step 9, click the OK button to return to the specify the server to which you want to apply this certificate, which shows that the selected server has been added to the list, as shown in the figure

Step 10, click the finish button to configure the certificate for the second server. Note: no service is configured on the mail server after the certificate is successfully imported, so the Exchange administrator is required to configure other services manually, as shown in the figure

Step 11, after selecting the target certificate, click the "Edit" button on the toolbar, open the certificate properties window, switch to the "Services" tab, check all services, and configure the same as the first server.

Step 12, click the Save button to display the warning dialog box shown in the figure, where you need to overwrite the existing certificate.

Step 13, click the Yes button to replace the existing certificate and return to the Certificate window, which shows that the current certificate has been bound to the set service, as shown in the figure

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.