Managing your UC Certificate to add support to ADFS

Share this:

Exchange Administrators that already purchased UC Certificate (Unified Communications) may take advantage of the multiple names accepted by this type of certificate and use it to add ADFS or any other service without buying a new certificate.

Solution


We are going to use Digicert  in this Tutorial, and Digicert supports up to 4 names on any UC/SANs (Subject Alternative Names) Certificate, and every additional name is around 99 dollars, which makes cheaper to add a name to an existent certificate than buying a brand new certificate.

In this Tutorial we deployed a brand new Exchange Server 2013 (if you haven’t done that yet, you can use this Tutorial http://itprocentral.com/deploying-exchange-server-2013/) and we are going to request a new certificate for the Exchange Server 2013 and later on we need to add ADFS (Active Directory Federation Services) in the infrastructure to support Office365 integration.

Initial Scenario – Exchange Server 2013…

Exchange Server 2013 was just deployed on this site and the default certificates are listed in the image below. In order to get there, open EAC (Exchange Admin Center), click on Servers and then certificates. You can also use the Get-ExchangeCertificate cmdlet to get the same results.

image5

Since our domain is simple (just one SMTP Address) and there is no major requirements we will keep it simple and we are going to have only two names in our Public Certificate, which are: webmail and autodiscover and that will cover all the requirements (mobile connectivity, Outlook Anywhere, OWA and so forth). In order to request a certificate with Digicert, you can use this link: https://www.digicert.com/order/order-1.php?prod=8&rid=022056

image8

After requesting and installing the certificate on Exchange server 2013, the certificate will be listed on Digicert as shown in the image below. In the SANs section, the webmail and autodiscover are being listed.

image11

At this point the Exchange Server 2013 is using the Public Certificate and the user are happy. We are not covering step by step how to deploy and configure the certificate on Exchange Server 2013 because the goal for this tutorial is to add a new name to an existent deployment.

Active Directory Federation Services is ready to go…

Exchange Server 2013 is running fine, but the business decided to integrate with Office 365, and as part of the design the ADFS role must be implemented, and as part of the process it requires a public certificate. Since, we are using only 2 for Exchange, we still have room to add a new name without additional cost. During the planning phase of the ADFS, let’s say that we defined the name adfs.company.ca and now we need to come up with a cert of this new requirement.

If you went ahead and start configuring the ADFS, when you get to the page Specify Service Properties you will notice that there is no certificate installed on the server. Time to stop for a little bit the ADFS deployment and let’s work with Exchange to get that new name up and running, shall we?

If you need some guidance, we created a series about ADFS in Windows Server 2012 R2: http://itprocentral.com/microsoft-federation-services-the-series/

image3

Adding a new name to the existent certificate…

Back to Exchange Server 2013, the goal is to create a new Certificate Request using the same information provided on the initial request but adding the additional name. In order to simplify, in the friendly name we are going to add v2 to keep tracking of the changes in the environment.

Note: There is no outage on the Exchange service by requesting a new certificate.

image9[1]

After typing the information like we have done on the first time, make sure to keep the existent names on the list and add the new entry, which in our case is adfs.msitpro.ca.

image12

The new request will be listed on the Certificates tab of EAC as Pending request, the result of this process that we have just finished was a .req file that we will use in the next step.

image15

Log on in the Digicert page using the credentials to manage certificates, and select the order for your Exchange Server, then click on  Add, Remove or Change Domains

image28

In the following page, type the content of the .req file created on Exchange Server 2013, and make a note for documentation purposes on the Reason for Changes field.

image18

 

In the new page, the new name which is adfs.msitpro.ca will be listed, just click on Continue to Next Step.

image21

In the final page of the wizard, the original CSR and the new one with the changes being highlighted will be displayed, click on These changes are correct >> Submit Request.

image24

Wait for the process to be completed on the Digicert side, and as result you will see the new name being displayed on the SAN of the certificate.

image31

Finishing up the process on Exchange Server

The original certificate is still valid, and we can keep it but for the sake of organization I prefer to get rid of the old certificate and associate all the services to the new one, but it is up to you. There is no requirement to change the certificate since we added just a name.

image34

Exporting the Certificate…

Here is the reason why we used Exchange to generate the new certificate with the additional name, we need to export it, and we can do that by clicking on and then Export Exchange Certificate

image37

Export the file and define a password, all files exported from EAC contain the private key.

Nota: If you don’t have a folder for Exchange Server, we went over the details how to create it on this following Tutorial: http://itprocentral.com/creating-a-shared-folder-exutil-to-support-exchange-server-2013-eac/

image40

Importing the Certificate in the new ADFS server…

Time to go back to the ADFS Server, open mmc, click on File, and click on Add/Remove Snap in, select Certificates and then Computer Account, the last two steps are shown in the image below.

image43

Expand Certificates, right-click on Personal. Click All Tasks and then Import.

image46

In the File to import page. Select the file that we have just exported from Exchange Server

image55

In thePrivate Key Protection page. Type in the password and mark this certificate as exportable (Mark this key as exportable) click Next.

image58

In the Certificate Store page, leave default settings and complete the wizard.

image61

Now, we can go back to the ADFS Wizard and click on Back and Next (to refresh the settings) and the new certificate will be displayed.

image67

Conclusion


In this Tutorial we went over the process to use Exchange Server 2013 to add a new name to an existent UC/SAN certificate and then using the new certificate on the ADFS Server. The same strategy can be used for any other service that requires an additional certificate.

Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at ITPROCentral.com, MSExchange.org, Techgenix.com and Anderson Patricio.org (Portuguese).

Related Post

Managing Federation Services– Enabling Single Sign... Configuring an existent domain in Microsoft Azure to support Single Sign-On (SSO) Solution At this point in the game we have already installed, con...
How to … Renew Certificates in Exchange Server 201... In Today’s post we are going over the process to renew a Certificate in Exchange Server 2010. For this blog post I’m going to use Digicert and you ca...
How to renew the ADFS certificate Replacing a certificate that is about to expire on the Active Directory Federation Services (ADFS) server. The process is simple and we will show all ...
Restoring cloud services during an outage of the A... The Federation Server role is crucial when integrating on-premises with the Microsoft Cloud and in this article we are going to demonstrate how an out...