Most of us know about the rather good and simple to use online DigiCert SSL CSR Generation tool.
For many of us, we are just looking for a simple means to create an SSL certificate for our Client Access Servers which the DigiCert tool certainly offers, however – if like me you find (or found) yourself in the position where you have no direct access to the Internet from the Client Access Server (either for security reasons, or you are working on a machine with no web connection) you will have to remember the PS1 command syntax to generate the CSR.
For situations like the above I decided to write the Exchange 2007 SAN CSR Generator which is a small Application based around the .NET 2.0 Framework which fits quite nicely on a USB pen or other media that you might use during the course of your Exchange endeavours.
In order to use the Exchange 2007 SAN CSR Generator – download it from the link above and follow the installation instructions which are provided.
When you run the tool you will be presented with the following screen::
Complete all of the fields on the screen as per your needs – pay particular attention to the following:
- Common Name – this is typically the FQDN of your Client Access Server in the outside world – so for example if you want your OWA users to connect to http://mail.mycompan.com/owa you would set the command name to “mail.mycompany.com”
- Organisation Name – Some SSL providers will check the data that you provide for the certification against your domain’s WHOIS information – make sure that the Organisation name the you provide is the same as it appears in the WHOIS registry
- Country – It is important that you correctly provide your countries two letter code ID – there is a full list of them provided here: http://www.digicert.com/ssl-certificate-country-codes.htm
- SAN (Subject Alternative Names) – you should provide all of the names which are required for a successful OWA and Autodiscover configuration here – for best practise information of the naming have a look here: http://www.digicert.com/ssl-support/exchange-2007-san-names.htm
So for example configuration - see below:
When you are happy with the entries – ensure that you have chosen a “Key Size” of “2048” (you can use a 1024 bit key size – but as a best practice for security you choose a value higher to avoid weak SSL ciphers) and then click on the “Create” button – see below:
You should now see in the “Output” window there is a PowerShell command which can be executed from the Management shell on your Client Access Server – click on the “Save” button to export the command to a PowerShell script file (you can also copy and paste it directly into the Management Shell window – should you wish to save time).
Copy that file to your Client Access Server and then from the Exchange Management Shell execute the PS1 file – it will then create a CSR file in the location that you stipulated in the “CSR File Location” value in the interface.
You can then send the CSR to your SSL provide.
If you want to keep the information from the session – click on the “Export” button which will create a text file in the location that you choose for future reference – see below:
The Exchange 2007 SAN CSR Generator is free for both commercial and personal use – as always please review my Policy before using any of my tools, I hope that you find this useful.