Useful links:

• New-ExchangeCertificate cmdlet on Microsoft Technet: http://technet.microsoft.com/en-us/library/aa998327.aspx
• Get-ExchangeCertificate cmdlet on Microsoft Technet: http://technet.microsoft.com/en-us/library/bb124950.aspx
• Import-ExchangeCertificate cmdlet on Microsoft Technet: http://technet.microsoft.com/en-us/library/bb124424.aspx

We need certificates to publish internal Exchange 2007 services (like OWA, ActiveSync, OutlookAnywhere) using Microsoft ISA 2006. We want to get a private SLL certificate from internal Certification Authority (CA). We have to generate a certificate request, for example using Exchange Management Shell – Exchange Server 2007 tool, built on Microsoft Windows PowerShell technology.

1. Creating a certificate request (CSR) for ActiveSync service using Exchange Management Shell

- Logon to the Exchange Server 2007
- Start Exchange Management Shell
- Type the following cmdlet:
New-ExchangeCertificate -GenerateRequest -Path c:\activesync.mydomain.com.csr -KeySize 1024 -SubjectName “CN=activesync.mydomain.com, O=My Company Inc., L=Phoenix, S=Arizona, C=US” -PrivateKeyExportable $True

2. Viewing CSR-file contents

CSR-file is a text file, example:
—–BEGIN CERTIFICATE REQUEST—–
RWWQiooCCAYsCAQAwgeExCzAJBgNVBAYTAlBMMREwDwYDVQQIEwhsdWJ1c2tpZTEV
MBMGA1UEBxMMWmllbG9uYSBHb3JhMTkwNwYDVQQKEzBDZW50cnVtIFRlY2hub2xv
Z2lpIEludGVybmV0b3d5Y2ggQ1RwIFNwLiB6IG8uby4xLDAqBgNVBAsTI0R6aWFs
IEJlenBpZWN6ZW5zdHdhIFNpZWNpb3dlZ28gQ1RJMRswGQYDVQQDExJ3d3cuc2Vj
dXJpdHluZXQucGwxIjAgBgkqhkiG9w0BCQEWy2luZm9Ac2VjdXJpdHluZXQucGww
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANPLRce19dfcvQQuiAtjuRhTo5QX
T5/ifOTlYgtCw/jgyP401sglIgBH2o6f6sYJ6m1rO1s42bj4/VJ+R0DUvTinOT8N
snYjUHhCDKzQCEkjASRGUN892o9RIOE0oGRknc7+B/9rGfWjsdouQJMtqiWrn9rj
mKtRCd5/6VJTWyl3AgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBSKrGLWLxexaIc
59ePRJpV+ZQ10HVqhJMtSjrNkXuiDt91c3XBpKowv/n23uuBob8Af/H+s5n45qbq
6i5cYXw+qdz93vzV5M2QMczu3uKwJ6g6pcXgSjjX7w3CqpHnxmD1oooO2THj9bBo
SxEgsSr2k2eOeItxqrMLemA+MP4l9o==
—–END CERTIFICATE REQUEST—–

3. Uploading the certificate request to local CA by using the Certificate Web Enrollment Services

- Start Internet Explorer
- Browse to: http://<server name>/certsrv
- Select “Request a Certificate”
- Next
- Select “Advanced Certificate Request”
- Next
- Select “Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file???”
- Paste CSRfile “activesync.mydomain.com.csr” contents into the first field
- Select “Web Server” as “Certificate Template”
- Submit
- Select “Base 64 Encoded” and “Download certificate”
- Save file with “CER” extension on local disc

4. Importing the certificate using Exchange Management Shell

- Start Exchange Management Shell
- Type the following cmdlet:
Import-ExchangeCertificate ???path “c:\activesync.mydomain.com.cer”

5. Certificate verification using Exchange Management Shell

- Start Exchange Management Shell
- Type the following cmdlet:
Get-ExchangeCertificate | fl

6. Exporting the certificate to PFX-file

- Start > Run… > mmc > Add Snap-in > Select Certificates
- Select “Computer Account”
- Select “Local Computer…”
- Select from certificates list “activesync.mydomain.com” and open
- Select “Details” tab and “Copy to file”
- Select “Yes, Export the Private Key”
- Select “Personal Information Exchange” with options: “Include all certificates in the certification path if possible”, “Enable strong password…”
- Enter password
- Save SSL certificate with “PFX” extension on local disc

7. Importing the private SSL-certificate into ISA 2006 server

- Copy SSL-certificate “activesync.mydomain.pfx” to ISA 2006 server
- Logon to the ISA Server
- Import the certificate PFX-file using “Certificates” Snap-in