creating a CSR for a UCC SSL certificate on Exchange 2010 or SBS 2011

I installed an SBS 2011 box this weekend and I wanted to install a UCC SSL certificate on it. I get my certificates from godaddy, and this was the method I used in the Exchange Management Console to create the CSR that godaddy needed.

http://www.digicert.com/csr-creation-microsoft-exchange-2010.htm

Here is the text in case that link ever gets moved or taken down:

Open the EMC

Select "Server Configuration" in the menu on the left, and then "New Exchange Certificate" from the actions menu on the right.

When prompted for a friendly name, enter a name by which you will remember this certificate in the future.

This name is not an integral part of your certificate request.

Under Domain Scope, you can check the box if you will be generating the CSR for a wildcard. Otherwise, just go to the next screen.

If you do select that box for a wildcard, skip to step 7.

In the Exchange Configuration menu, select the services which you plan on running securely, and enter the names through which you connect to those services, as prompted.

At the next screen, you will be able to review a list of the names which Exchange 2010 suggests you include in your certificate request. Review those names (using our SAN Name Help tool if necessary, and add any extra names at this point.

Your Organization should be the full legal name of your company.

Your Organization unit is your department within the organization.

If you do not have a state/province, enter the city information again.

Click "Browse" to save the CSR to your computer as a .req file, then Save, then Next, then New, and then Finish.

You should now be able to open the CSR as a notepad or wordpad file, and you will want to copy the entire body of that file into the online order process.

tool for editing/adding SSL certificates to Exchange 2007 / SBS 2008

This tool:

http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html

has been a great help to me in the management of multi-domain SSL certificates (UCC or SAN certificates). Particularly for SBS 2008, you need to use the Exchange shell to add a multi-domain SSL certificate, but this GUI tool will easily help you add it.

adding a UCC (mulitple name) SSL certificate to SBS 2008

Adding a single name SSL certificate to SBS 2008 is pretty easy using the "add a trusted certificate" wizard in SBS 2008. But it's not as easy if you want a UCC SSL certificate - should you have a DNS host that doesn't support SRV records.

I found sembee's blog post on this exact topic here. His steps are a little convoluted, but here's a short version with just the need to know info:

You're not going to use the wizard. You'll use the powershell.

You'll go to Digicert's wizard for UCC creation:
https://www.digicert.com/easy-csr/exchange2007.htm

Then use the Powershell command it creates on your SBS 2008 box. It'll create a CSR file on the root of your C drive.

Take that CSR file to your SSL cert provider (godaddy or whoever). Buy the UCC cert and put in the CSR as needed.

After your cert is approved, download the cert and use this command to import the certificate:
Import-ExchangeCertificate -Path “D:\Shares\Install\SSL Cert\mail_ExternalDomaiName_com.crt” -FriendlyName “CompanyName UCC Cert”
(altered as appropriate of course for the actual path of your SSL cert)

Also follow the necessary instructions provided by the cert provider about intermediate certification authorities if applicable. Restart the MS Exchange Transport service and run an iisreset.

Then go back to the "add a trusted certificate wizard" in the SBS console and tell it that you'll use an already existing certificate and choose the cert that you just imported.


EDIT - this all makes sense, and I should see this working as I see the certificate in the personal store of the certificates MMC, so I should be able to add the UCC cert in the "add a trusted certificate wizard" - but I don't see it there, so I'm going to go the more manual route and follow these instructions:

http://www.xbarit.com/bradblog/2009/12/14/how-to-manually-install-an-ssl-certficate-on-sbs-2008/