What is the correct way to issue a wildcard certificate?

Андрей Михалевский 2,726 Reputation points
2024-07-02T15:18:52.1233333+00:00

Hi. I just deployed 3 servers in a lab environment.

Active Directory - windows server 2022

Active Directory Certificate Service - windows server 2022

Exchange - CU 14, last SU. - windows server 2022

3 virtual machines.

I want to issue a wildcard certificate for Exchange and then use it for other services.

What I did: Issued a certificate as described in the documentation: https://video2.skills-academy.com/en-us/exchange/architecture/client-access/create-ca-certificate-requests?view=exchserver-2019

EX01

It's working just fine.

Now I want to make a wildcard certificate.

EX02

Now the owa\ecp web interface does not trust this certificate and says error

on the common name. But if I open the certificate, it has a full chain of trust.

Can you please tell me how to form a wildcard certificate correctly ? I think the article is not updated or there were some changes in Exchange server.

Translated with DeepL.com (free version) UPD: I think I jumped to conclusions.

EX03

EX4

EX5

EX6

EX07

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,169 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jake Zhang-MSFT 2,635 Reputation points Microsoft Vendor
    2024-07-03T07:03:11.78+00:00

    Hi @Андрей Михалевский,

    Welcome to the Microsoft Q&A platform!

     

    According to your description, you want to issue a wildcard certificate for Exchange, but the owa\ecp web interface does not trust this certificate and displays an error.

     

    After my research, I suggest that you can follow the steps below to issue a wildcard certificate:

    1.Purchase or generate a wildcard certificate from a certificate authority (CA). Wildcard certificates usually cover all subdomains of a domain (for example, "*.yourdomain.com").

    2.When creating a certificate signing request (CSR), make sure to specify the wildcard domain (for example, "*.yourdomain.com") as the common name (CN). To create a Base64-encoded request file for a wildcard certificate, run the following command:

    $txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Contoso.com Wildcard Cert" -SubjectName "C=US,CN=*.contoso.com"

    [System.IO.File]::WriteAllBytes('\FileServer01\Data\Contoso Wildcard Cert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

    3.Submit the CSR to the CA of your choice to obtain a wildcard certificate.

    certreq -submit -attrib CertificateTemplate:Webserver

    4.Import the certificate using the Exchange Management Shell (EMS):

    Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path “C:\Path\To\Your\Certificate.pfx” ​​-Encoding Byte -ReadCount 0)) -password (ConvertTo-SecureString -String 'YourPfxPassword' -AsPlainText -force)

    5.Assign the new wildcard certificate to the desired Exchange services (SMTP, IMAP, POP, IIS):

    Enable-ExchangeCertificate -Thumbprint [YourCertificateThumbprint] -Services “SMTP, IMAP, POP, IIS”

    6.Use the EMC (Exchange Management Console) or ECP (Exchange Admin Center) to verify that the services are assigned and the wildcard certificate is being used.

    7.In DNS Manager, make sure the DNS records are correctly pointing to the servers for the services you are using.

    User's image

    Please feel free to contact me if you have any queries.

    Best,

    Jake Zhang