Securing OWA 2007 on Exchange 2007

65 pts.
Microsoft Exchange 2007
Microsoft Outlook
Microsoft Outlook 2007
Outlook Web Access
SSL Certificates
I want to secure OWA on Exchange 2007 for the internal employees who wants to access email from Outside the office from Public or Private computer. I would like to use Verisign SSL certificate. Please answer me.
  1. How can I configure third party SSL certificate on my Exchange 07?
  2. If my Exchange 07 already has a third party certificate, how can I find out that my existing Exchange 07 has third party certificate?
  3. I am getting and error when I'm using Outlook 2007 on internal network. "The name of the security certificate is invalid or does not match the name of the site"
The solution is on this link. How can I implement that? Can anyone help me regarding all of my problems? Thanks!

Answer Wiki

Thanks. We'll let you know when a new response is added.

See my blog entry on this subject.

The process I used is as follows:
To generate a Certificate Signing Request (CSR) on an Exchange 2007 server:

Prior to starting, uncheck the feature in Windows “Hide extensions for known file types”.
When I pasted the cert from VeriSign into notepad on the Exchange box and saved the file as cert.cer or cert.p7b, good ol’e Windows decided to add .txt to the end of the file. You are unable to see the .txt in Explorer. So after trying to import the cert in the steps below, you will receive an error.

1. Open the Exchange MMC. Start, All Programs, Microsoft Exchange Server 2007, Exchange Management Console.
2. Scroll down the opening screen until you see: Configure SSL for your Client Access Server. Click on this link. This will open a help window describing the steps to go through for this process.
3. If you don’t see it, scroll down the window until you see the text: 1. Open the Exchange Management Shell. Click on this link which will open the command line (Powershell) based window.
4. At this command line enter the following command making modifications to variables as needed (underlined items):
a. New-ExchangeCertificate -GenerateRequest -domainname,, -FriendlyName -subjectname “O= Corporation, OU=Company, C=US, S=State, L=City,” -privatekeyexportable:$true -path c:\webmaileu-csr.txt
5. If the command runs successfully, a CSR file will be created in the path described in the command.
6. This CSR file will be used by the Certificate Authority (CA) to generate a trusted certificate and private key for this server.
7. Once the certificate information is returned it will need to be imported on the client access server. This is done by the following steps:
a. The certificate text file should be saved on a location where the client access server can access the file.
b. If the Exchange Management Shell is not open, it will need to be opened.
c. Run the following command, making changes as needed to the underlined variables:
i. “Import-ExchangeCertificate –path c:\webmaileu.cer”
8. We now need to locate this certificate & its thumbprint to install into IIS and update the self-signed certificate. This is done by the following steps:
a. While at the command prompt in the Exchange Management Shell, type “dir cert:\LocalMachine\My | fl” and press enter.
b. Locate the certificate with the right Subject name and FriendlyName for this server.
c. Copy the Thumbprint to the clipboard.
d. At the command prompt type “enable-ExchangeCertificate –thumbprint <value copied to clipboard> -services “IIS, IMAP, POP””. Press enter.
9. The IIS virtual directories now need to be configured to use SSL. This is done by the following steps:
a. Under Default Web site, select the virtual directory that you want, for example, “owa”.
b. Right-click the virtual directory, and then click “Properties”.
c. Click the “Directory Security” tab.
d. In the “Secure Communications” section, click “Edit”.
e. In the “Secure Communications” dialog box, make sure that both the “Require secure channel (SSL)” check box and the “Require 128-bit encryption” check box are selected.
f. Click “OK” to save your changes.
g. Restart IIS to ensure settings are saved.

Basically the same certificate gets installed on both the CAS and ISA servers.

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • RuthParish15
    I am not sure what the Common Name should point at: our new external OWA web address ( or the email server's name ( Our external domain ( is different than our internal one ( New-ExchangeCertificate -GenerateRequest -Path c:CertificatesOWA-external-certrequest.req -KeySize 1024 -PrivateKeyExportable $True -SubjectName "c=US, s=CA, l=San Bernardino, o=City of San Bernardino, ou=Information Technology," -DomainName -FriendlyName "OWA External Certificate" Thank you
    60 pointsBadges:
  • Labnuke99
    As long as the CN is one of the names in the -domainname section, any name can be used. subjectname "O= Corporation, OU=Company, C=US, S=State, L=City,"
    32,960 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: