Ask a Question

Solution ID : SO6392

  • RapidSSL

Certificate Signing Request (CSR) Generation Instructions for Microsoft Exchange 2007

Solution


This document provides instructions for generating a Certificate Signing Request (CSR) for Exchange 2007. If you are unable to use these instructions for your server, RapidSSL recommends that you contact Microsoft.

NOTE: To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match.

NOTE: All certificates that will expire after October 2013 must have a 2048 bit key size.

To generate a CSR,  use the Exchange Management Shell and perform the following steps:
 
    1.    Click Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell
    2.    The CSR needs to contain the following attributes:

  • Common Name (CN): The Fully Qualified Domain Name that the certificate will be issued to and secure.
    NOTE: RapidSSL certificates can only be used on Web servers using the Common Name
    specified during enrollment. For example, a certificate for the domain "domain.com" will
    receive a warning if accessing a site named "www.domain.com" or "secure.domain.com",
    because "www.domain.com" and "secure.domain.com" are different from "domain.com".
  • Organization (O): The Registered Organisational Name the certificate belongs to.
    If the company or department has an &, @, or any other symbol using the shift
    key in its name, the symbol must be spelled out or omitted, in order to enroll.
    For example: "XY & Z Corporation" would be "XYZ Corporation" or "XY and Z Corporation".
  • Organisational Unit (OU): The Department within the Organisation
  • State (S): The business registered state or province. Do not abbreviate the state or province name, for example: California not CA
  • Locality (L): The Business registered location/city (not the actual server location).
  • Country/region (C): The two letter ISO country code
     

    3.    Here is an example of the proper command syntax:

New-ExchangeCertificate -GenerateRequest -SubjectName "C=US, S=State, L=City, O=Company Name, OU=Organizational Unit, CN=www.website.com" -privatekeyexportable:$true -keysize 2048 -Path c:\certificate_request.txt

           
           NOTE: For all certificates the key bit length must be 2048 (-keysize 2048) 
           For further reference please check the Microsoft Knowledge Base here

           NOTE: Requirements for Subject Alternative Name certificates
           The Certificate Signing Request (CSR) file should contain the common name only.

    4.    Proceed with Enrolment and paste the file you created from the above steps into the
           enrollment form when requested for the CSR.


Once the certificate has been issued, refer to this link for installation instructions: SO14293