Install Certificate Service
Apply for a certificate for the following exchange
Due to the shortage of resources, the certificate service is installed in the domain when it is used . I personally suggest not to deploy it like this.
Now install, certificate service·
Default next step
Check the top and bottom, as shown in the figure, click Next
Default next step
Default next step
start installation
After the installation is complete, click directly on the arrow to continue the installation and deployment
Default
Check the following picture
The next step by default is just fine
Next step
Next step
Here is the default next step, but you can choose according to personal needs
Next step
The things that can be changed below will generally be maintained for another 20 years or so, but it shouldn’t be here, just default
This is the location of the certificate service, you can change it if you have resources
Click Configure
Successfully configured
Deployment certificate:
The role of the certificate is: SMTP communication between transport servers (using transport layer security), HTTP communication (using secure socket layer) for client access methods (such as Outlook Web App, Outlook Anywhere, Exchange ActiveSync, and Exchange Web Services) ), HTTP communication for federated authentication. Combined with "OutLook Everywhere", client computers can easily connect to the Exchange server, reducing the difficulty for users to connect to Exchange. Let's first look at how to deploy the certificate.
First of all, we need to install a CA server, we will install the certificate service on the DC, open the server role, select "AD certificate service", as shown in the following figure:
Configure certificate
Open EMC---Server Settings---select the server above, and you can see that there is a self-signed certificate generated when Exchange is installed. This self-signed certificate is not usable. Ignore it for now. Then click "New Exchange Certificate" on the right. As shown below:
Select "New Exchange Certificate", the following window appears:
Enter the friendly name here, I made exhcnage2010, after the next step, the following figure appears
In the "Domain Scope" page, select the "Enable wildcard certificate" check box, if you want to create a wildcard certificate to automatically apply the certificate to all subdomains. This is more practical in management for an organizational structure with subdomains. In this environment, we do not have subdomains, so there is no need to use "Enable Wildcard Certificate" and go to the next step.
Configure the full domain name (FQDN) corresponding to various client access methods. For example, if you want to enter mail.uec.com when you connect to the OWA website from the Internet, you must set this value in the field of [Outlook Web App is connected to the Internet]. As for other things like It is Exchange ActiveSync, Outlook Anywhere access, etc., can also be set separately or use the same settings. If you don't use services such as POP3, IMAP, etc., you can consider ignoring the settings. Click [Next] to continue.
In this interface, you can view the list of names that will be added to the certificate. You can add, edit or delete as needed, and keep it here.
In this interface, for example, fill in the information of the certificate to protect the rights and interests of users, and enter the path of the certificate request file to share the path of the certificate server
In this interface, click "New" to generate a certificate application file.
In this interface, click "New" to generate a certificate application file.
You can see our newly created Exchange certificate: UEC-MAIL in the EMC console. But this is a pending certificate signing request, and the following operations need to be continued.
Then, you need to use the IE browser to connect to the web page of the CA certificate server ( http://dc.srv.com/certsrv ), and select the [Apply for Certificate] link on this page. After execution, the "Apply for a Certificate" page will open.
In the [Advanced Certificate Application] page, please select [Submit a certificate application with Base-64 encoded CMC or PKCS #10 file, or use Base64 encoded PKCS#7 file to renew the certificate application] to continue. Copy the text content of the certificate request file, then select [Web Server] from the drop-down menu of [Certificate Template], and click the [Submit] button.
Click "Submit"
The page shown in the figure below appears, select the [DER Encoding] option here, and then click the [Download Certificate] option. Then a dialog box will pop up prompting you to enter the storage location of the certificate file. Store it here in C:\certnew.cer. Next, we return to the Exchange Management Console interface. In the "Server Configuration" node, first select For the new certificate project just created, select "Complete the pending request" in the "Operation" window to continue, as shown in the figure below:
After opening the [Complete Hold Request] setting wizard, click [Browse] to open the stored new certificate file, as shown in the following figure:
The page shown in the figure below appears:
Click "Finish", but the operation is not completely over. Although the status of the certificate has changed from "This is a pending certificate signing request" to "The certificate is valid and can be used for Exchange Server", the service of this certificate The field is also displayed as "None", which means that the certificate is not specified for which services, so it cannot provide the need for a secure connection. We also need to assign services for certificates. Select "Assign service for certificate" located in the operation window. You can click the name of the certificate, right-click "Assign certificate..." or "Assign certificate..." in the operation window
Then the "Assign Service to Certificate" setup wizard appears, confirming that the Exchange Server 2010 server that will assign the service to the certificate has been added.
In the "Assign Service" interface, please tick all the service items that will use the certificate. In this example, the "Unified Messaging" service is not used. You don't need to choose when you create the certificate. You don't need to select "Unified Messaging" here. .
After the next step, click Assign and the interface shown in the figure below appears:
In this interface, select "Yes to All" to overwrite the existing default SMTP certificate to complete the installation of the service certificate. As shown in the figure below after completion:
If users need to view certificate information or update certificates, they can operate in this management interface. You can also use the Get-ExchangeCertificate | FL command to view the status of the Exchange certificate, as shown in the following figure:
The above is just to complete the certificate deployment of a service,
Export the certificate
Import the certificate into ex02
The following is successfully imported
Successfully imported
Keep adding
Click "Yes to All"
Deployment complete
Set up Outlook Anywhere:
In Microsoft Exchange Server 2010, through the Outlook Anywhere feature (previously called RPC over HTTP), clients using Microsoft Office Outlook 2010, Outlook 2007 or Outlook 2003 can use RPC over HTTP to connect to the Exchange server from outside the company network or through the Internet . Enabling method is: Open EMC---"Server Configuration"---"Client Access"---"Server1"----Click "Enable Outlook Anywhere", as shown in the figure below:
Type in the external host name "ex02.srv.com", the client authentication method, select basic authentication, and click "Enable". As shown below:
The following picture is considered complete, the external URL
This is the end of certificate deployment