Exporting Existing SSL OWA Certificates from Exchange 2003 FES to Exchange 2007 SP1 CAS on Windows 2008…

You have x 1 Exchange 2003 Front End Server (published via a Firewall to the Internet) which is currently proxying all OWA, OMA and Active Sync traffic to your Exchange 2003 backend servers (no other protocols)

You have a single Forest / Domain with (lucky as I am) a single site.

You have installed the Exchange 2007 Client Access server role into your Exchange organisation and wish to move all of the duties from your Exchange 2003 Front End Server to the new Exchange 2007 Client Access Servers (which again lucky for me amount to pure OWA / Active Sync Traffic).

You also have an existing third party SSL certificate (issued from a company such as VeriSign or Thwate) that you need to move across to the new CAS – to make things fun you are also using Windows 2008 (I suspect that this method will also work on Windows 2003 – but I have chosen Windows 2008 to be the focal O/S for this article as it is part of my migration strategy).

What I would like to take you through is how you can port your SSL certificate from OWA on a Exchange 2003 FES to providing SSL support for OWA requests via a Exchange 2007 CAS.

Step 1 – Export the Existing SSL Certificate:

There are two stages to this process:

1. Creating a .pfx file from IIS on your Exchange 2003 Server – this is then imported into IIS 7 on the Exchange 2007 CAS
2. Ensuring that you have a copy of the original .cer file (the SSL certificate) from your issuer – this is not essential but really does help remove an element of complexity during the migration process – this article will assume that you have the original .cer file (if you do not have it e-mail me and I will elaborate on what you can do with the .pfx file).

Exporting the SSL Certificate from your Exchange 2003 FES:

From the Windows 2003 Start Menu on your Exchange 2003 Front End Server go to [ Start -> Programs -> Administrative Tools -> Internet Information Services (IIS) Manager ] – see below:

When the IIS manager opens expand the -> Web Sites and then right click on the “Default Web Site” then from the context menu that appears choose the “Properties” option – see below:

From the dialog box that appears choose the “Directory Security” tab – then from the “Secure Communications” area click on the “Server Certificate” button:

You will then be presented with the “Web Server Certificate Wizard” welcome page – click on the “Next” button to begin the export process:

From the dialog box that appears choose the “Export the Current certificate to a .pfx file” and then click on the “Next” button:

You will be asked to provide a path for the .pfx export file – you can choose any path – but ensure that it can be referenced by your CAS server via UNC – for example below I have exported the .pfx file to the local C: drive on my Exchange 2003 FES server – therefore when I need it on my CAS server later I would access it using the following: \\\c$ when you are happy with the path click on the “Next” button:

The next dialog box requires you to provide a personal password (or private encryption key) for the .pfx file – enter in your password – but make sure that you remember it – as you need it for the import process later on in the article when you are happy with the password click on the “Next” button:

You will then be provided with a summary of the certificate that you have chosen to export from your FES – it should look similar to below (although please note that I have removed certain identifying detail from my example for security reasons) – review the detail and click on the “Next” button:

You will then be presented with the “Wizard completed” dialog box – click on the “Finish” button to complete this stage of the process.

Now that you have the exported .pfx file stored locally on your Exchange 2003 FES – you should now also locate your original .cer file which was issued by your certification authority then place it in the same location as the .pfx file ready to be copied over to your Exchange 2007 SP1 CAS server running on Windows 2008.

Step 2 – Import the SSL Certificate to the CAS and make it functional:

At this stage we should now have an exported SSL certificate and indeed the original certificate as issued by your root certification provider located on the same UNC path where they can be copied to the CAS server.

Logon to your Windows 2008 / Exchange 2007 SP1 Client Access Server then open [ START -> RUN ] – see below:

Then within the “RUN” dialog box that appears type in the UNC path which corresponds to where the .pfx and .cer files on the Exchange 2003 Front End Server are located – see below:

From the Explorer window that opens – copy the .pfx and the .cer file to a location on your CAS server – see below for an example of the UNC window open at the location where the required files reside in my test rig.

When the files have been copied over from your Exchange 2003 server to you Exchange 2007 / Windows 2008 server – on the Windows 2008 CAS server open the IIS 7.0 management snap – [ START -> Programs -> Administrative Tools -> Internet Information Services (IIS) Manager ] – see below:

When the IIS 7.0 manager opens click on the node and then right hand plane will change to display a number of options – see below:

Double click on the “Server Certificates” option – this will change the screen to display the currently installed (and self generated) Client Access Server SSL certificate for your CAS. – Right click on the entry and from the context menu that appears choose the “REMOVE” option. – see below:

When the certificate has been removed “MINIMISE” the IIS Management console (don’t close it).

From the Start Menu open the Exchange Management Shell [ START -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell ] – see below:

When the management shell opens type in the following command:

Import-ExchangeCertificate -Path – below is an example output from my environment:

Ensure that you take a note (or copy into Notepad) the Thumbprint (this is the large number) that is displayed in the Management Shell Output.

Restore the IIS 7.0 manager from the task-bar (or if you closed the IIS 7 manager reopen it from Administrative Tools) – as described above then navigate to “Server Certificates” (this is accomplished by clicking on the Name of you server in the left hand place and then choosing the “Server Certificates” icon) the middle Window will change – right click and from the context menu that appears choose “Import” – see above.

You will then be presented with the “Import Certificate” dialog box – click on the “…” button and navigate to the location where you stored the .pfx file that you Exported and then copied from your Exchange 2003 FES to your Exchange CAS server – you will then need to provide the private key (or password) that you specified during the export process.

When you have successfully imported the certificate the IIS “Server Certificates” Window will change to display the imported certificate.

At this stage you will need the “Thumbprint” of the certificate (you should have take a note of it earlier in the process) – if you did not then don’t worry – locate and then double click on your certificate file (the .cer file) and the from the dialog box that appears choose the “Details” Tab – scroll down to the “Thumbprint” entry and then copy the value into NOTEPAD and remove the spaces.

Close the IIS manager and the open an Exchange Management Shell window [ START -> Programs -> Microsoft Exchange Server 2007 -> Exchange Management Shell ] and then type in the following command:

Enable-ExchangeCertificate -Thumbprint -Services IIS – see below

When you have completed the above you should now have ported your existing SSL certificate from your Exchange 2003 FES server to your new Exchange 2007 CAS server. You will now need to change all DNS entries and hosts headers to point to you new CAS server (otherwise you will get a certificate mismatch based around the host name) – so for example;

If the FQDN of your Original Exchange 2003 FES was http://owa.mydomain.com (and your SSL certificate was issued to that domain [ Friendly name / Host ]) you will need to change all IP and DNS settings so that they point to the new addresses of your CAS server (or indeed if you have used NLB with you CAS servers – the published NLB address).

Obviously this article represents a very simple scenario, however it does form the basis of a simple SSL certificate migration from Exchange 2003 to Exchange 2007 – if you are interested in more complicated scenarios please post a comment describing your situation and I will be happy to expand in further detail.