Working with SSL Certificates
Although various methods exist to create and import SSL certificates, this task can be laborious on Windows servers where no certificate policy exists (i.e. standalone servers). This article describes how to manually create and verify a certificate signing requests (CSR) and import the certificate after the CSR has been signed by a certificate authority, using Microsoft's Certreq tool.
Customers who manage their certificates with OpenSSL, find useful information at the end of this article.
Generating a Certificate Signing Request (CSR)
It is assumed that the following steps are carried out on the machine, where the certificate is actually going to be used by MailStore SPE.
- Prepare a text file request.inf with the following content:
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] ; replace Subject attributes in the line below with real values Subject = "CN=mailarchive.example.com, OU=Department, O=Organisation, L=Locality, S=State, C=Country" KeySpec = 1 KeyLength = 2048 Exportable = TRUE FriendlyName = mailarchive.example.com MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
- Adjust the Subject and FriendlyName values according to your needs.
- Save the file.
- Open an elevated command prompt and navigate to the directory where the request.inf is stored.
- Creating the CSR by executing the following command:
certreq -new request.inf request.csr
Optional: Subject Alternative Names (SAN)
If the certificate should be valid for multiple host names, so called Subject Alternative Named (SAN) must be included in the CSR. Add the Extensions section as shown below to the the end of the request.inf file and adjust the host names to your needs or add additional ones by appending additional _continue_ lines. Then save the file and create the request as explained previously.
[Extensions] 2.5.29.17 = "{text}" _continue_ = "DNS=mailarchive.example.com&" _continue_ = "DNS=archive.example.com&"
Important notice: When SANs are defined, the CN in the Subject field will be ignored by clients. Therefore all valid host names have to be added to the SAN extension.
Validating the Certificate Signing Request
To verify that the CSR is correct, execute the following command to display it in a human readable format:
certutil -dump request.csr
Submitting the Certificate Signing Request
Submit the CSR to your preferred CA. The CA might ask for the server platform during the submission process. Selecting IIS 7 or None of the listed should be sufficient. After successful approval of the CSR, you will get the signed certificate in return.
Please note: Nowadays most CAs require the installation of intermediate CA certificates. Detailed information about the installation process of intermediate CA certificates is typically included in the electronic delivery of your certificate.
Importing and Verifying the Certificate
- Open an elevated command prompt and navigate to the directory where the certificate file is stored.
- Execute the following command to import the certificate into the computer's personal certificate store:
certreq -accept certificate.cer
- Use MMC's certificate snap-in or certlm.msc (Windows Server 2012 or newer only) to verify that the certificate has been imported properly in the computer's Personal certificate store and that a matching private key can be found.
- Replace the self-signed certificates in the Client Access Server.
Appendix: Creating a PFX Container with OpenSSL
When the CSR was created with OpenSSL, the private key is never stored in the Windows certificate store. To use certificates that have been created with OpenSSL in MailStore, it is therefore required to merge the private key, certificate and optionally the CA's certificate chain into a PFX container. This container can then be imported into Window's certificate store.
- Create the PFX container by executing the following command:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
- Open an elevated command prompt and navigate to the directory where the PFX file is stored.
- Import the content of the PFX container into the computer's personal certificate store by executing the following command:
certutil -importpfx certificate.pfx