Exchange Administrators that already purchased UC Certificate (Unified Communications) may take advantage of the multiple names accepted by this type of certificate and use it to add ADFS or any other service without buying a new certificate.
We are going to use Digicert in this Tutorial, and Digicert supports up to 4 names on any UC/SANs (Subject Alternative Names) Certificate, and every additional name is around 99 dollars, which makes cheaper to add a name to an existent certificate than buying a brand new certificate.
In this Tutorial we deployed a brand new Exchange Server 2013 (if you haven’t done that yet, you can use this Tutorial http://itprocentral.com/deploying-exchange-server-2013/) and we are going to request a new certificate for the Exchange Server 2013 and later on we need to add ADFS (Active Directory Federation Services) in the infrastructure to support Office365 integration.
Initial Scenario – Exchange Server 2013…
Exchange Server 2013 was just deployed on this site and the default certificates are listed in the image below. In order to get there, open EAC (Exchange Admin Center), click on Servers and then certificates. You can also use the Get-ExchangeCertificate cmdlet to get the same results.
Since our domain is simple (just one SMTP Address) and there is no major requirements we will keep it simple and we are going to have only two names in our Public Certificate, which are: webmail and autodiscover and that will cover all the requirements (mobile connectivity, Outlook Anywhere, OWA and so forth). In order to request a certificate with Digicert, you can use this link: https://www.digicert.com/order/order-1.php?prod=8&rid=022056
After requesting and installing the certificate on Exchange server 2013, the certificate will be listed on Digicert as shown in the image below. In the SANs section, the webmail and autodiscover are being listed.
At this point the Exchange Server 2013 is using the Public Certificate and the user are happy. We are not covering step by step how to deploy and configure the certificate on Exchange Server 2013 because the goal for this tutorial is to add a new name to an existent deployment.
Active Directory Federation Services is ready to go…
Exchange Server 2013 is running fine, but the business decided to integrate with Office 365, and as part of the design the ADFS role must be implemented, and as part of the process it requires a public certificate. Since, we are using only 2 for Exchange, we still have room to add a new name without additional cost. During the planning phase of the ADFS, let’s say that we defined the name adfs.company.ca and now we need to come up with a cert of this new requirement.
If you went ahead and start configuring the ADFS, when you get to the page Specify Service Properties you will notice that there is no certificate installed on the server. Time to stop for a little bit the ADFS deployment and let’s work with Exchange to get that new name up and running, shall we?
If you need some guidance, we created a series about ADFS in Windows Server 2012 R2: http://itprocentral.com/microsoft-federation-services-the-series/
Adding a new name to the existent certificate…
Back to Exchange Server 2013, the goal is to create a new Certificate Request using the same information provided on the initial request but adding the additional name. In order to simplify, in the friendly name we are going to add v2 to keep tracking of the changes in the environment.
Note: There is no outage on the Exchange service by requesting a new certificate.
After typing the information like we have done on the first time, make sure to keep the existent names on the list and add the new entry, which in our case is adfs.msitpro.ca.
The new request will be listed on the Certificates tab of EAC as Pending request, the result of this process that we have just finished was a .req file that we will use in the next step.
Log on in the Digicert page using the credentials to manage certificates, and select the order for your Exchange Server, then click on Add, Remove or Change Domains
In the following page, type the content of the .req file created on Exchange Server 2013, and make a note for documentation purposes on the Reason for Changes field.
In the new page, the new name which is adfs.msitpro.ca will be listed, just click on Continue to Next Step.
In the final page of the wizard, the original CSR and the new one with the changes being highlighted will be displayed, click on These changes are correct >> Submit Request.
Wait for the process to be completed on the Digicert side, and as result you will see the new name being displayed on the SAN of the certificate.
Finishing up the process on Exchange Server
The original certificate is still valid, and we can keep it but for the sake of organization I prefer to get rid of the old certificate and associate all the services to the new one, but it is up to you. There is no requirement to change the certificate since we added just a name.
Exporting the Certificate…
Here is the reason why we used Exchange to generate the new certificate with the additional name, we need to export it, and we can do that by clicking on … and then Export Exchange Certificate
Export the file and define a password, all files exported from EAC contain the private key.
Nota: If you don’t have a folder for Exchange Server, we went over the details how to create it on this following Tutorial: http://itprocentral.com/creating-a-shared-folder-exutil-to-support-exchange-server-2013-eac/
Importing the Certificate in the new ADFS server…
Time to go back to the ADFS Server, open mmc, click on File, and click on Add/Remove Snap in, select Certificates and then Computer Account, the last two steps are shown in the image below.
Expand Certificates, right-click on Personal. Click All Tasks and then Import.
In the File to import page. Select the file that we have just exported from Exchange Server
In thePrivate Key Protection page. Type in the password and mark this certificate as exportable (Mark this key as exportable) click Next.
In the Certificate Store page, leave default settings and complete the wizard.
Now, we can go back to the ADFS Wizard and click on Back and Next (to refresh the settings) and the new certificate will be displayed.
In this Tutorial we went over the process to use Exchange Server 2013 to add a new name to an existent UC/SAN certificate and then using the new certificate on the ADFS Server. The same strategy can be used for any other service that requires an additional certificate.