Security is a huge concern when it comes to email. Email is the primary communication mechanism for many businesses and sensitive information is passed both externally and internally via email everyday. Since we cannot leave it to chance that a hacker might intercept an email, we use Secure Socket Layer (SSL) certificates to encrypt the data that is transmitted internally between servers and Transport Layer Security (TLS) to encrypt the data that is transported over SMTP traffic both internally and externally.

With the level of importance of SSL certificates, you would think that the Exchange developers would have made it a top priority to make sure that it is easy to generate the certificate signing requests (CSR) to send to the certificate authorities (CA) to generate a trusted root for the Exchange organization.  The process is not easy though and it involves using Exchange’s PowerShell to generate the CSR.  There should be a utility in the Exchange Management Console for generating the necessary CSR’s, but for now this was the command that I used:

New-ExchangeCertificate -GenerateRequest -DomainName longhorn.aaronmarks.com -SubjectName "C=US,DC=aaronmarks,DC=com,S=Washington,L=Seattle,O=AM IT Consulting,OU=IT,CN=longhorn.aaronmarks.com" -path D:\certificates\longhorn.aaronmarks.com.req

I would detail all of the parameters necessary for creating an SSL certificate, but John Speare’s from Microsoft has already written up a great Knowledge Base article about all of the parameters to use when generating an SSL certificate in the PowerShell. He has also gone into depth in this blog post detailing issues he ran into while creating Exchange 2007 SSL certificates.

A really interesting thing to note about the way Exchange 2007 works is that it is broken up into a lot of different roles that can be installed on a number of different servers. Because of this and the requirements of the new Exchange 2007’s new Autodiscover service, it is sometimes necessary to have multiple (sub)domain names in a certificate. There are currently only a handful of CA’s offering this new “Exchange 2007″ certificate, but Microsoft has a KB that will be updated over time showing who does offer the service.