1. Use this link to generate the cmdlet structure for your PowerShell command. This will output the CSR https://www.digicert.com/easy-csr/exchange2007.htm
2. Send the CSR to a trusted provider.
a. Entrust is my favorite but GoDaddy is the cheapest. Other UCC vendors include DigiCert and Comodo.
b. More detail here: http://support.microsoft.com/kb/929395
c. You’ll notice VeriSign isn’t on this list. They DO offer UCC but only if you spend thousands in their managed PKI program…
3. While Windows Mobile support all of these vendors, understand that the iPhone and Palm may not.
a. Palm doesn’t support UCC at all, but you can get around that by using a UCC / SAN cert anyway, and just putting the OWA/ActiveSync FQDN as the primary name in the certificate. It just can’t read the alternate fields.
4. Once you get the certificate back, rename it to a .cer file
5. Open PowerShell again and type: Import-ExchangeCertificate c:\filename.cer
6. Type Get-ExchangeCertficate to see your new cert at the top of the list. Copy the thumbprint to the clipboard.
7. Then type: Enable-ExchangeCertificate –Thumbprint xxx –services iis, smtp, pop, imap, um
a. Don’t list all the services unless the role is actually installed on the box itself
b. If you intend to use the same cert on multiple servers, understand that may break your agreement with the Certificate Authority, and you have to import the key pair on the 2nd server before step 6 works.
- Palm OS cert list: http://www.palm.com/cgi-bin/cso_kbURL.cgi?ID=16733
- Windows Mobile cert list: http://blogs.msdn.com/jasonlan/archive/2006/03/14/550747.aspx
- iPhone cert list: http://support.apple.com/kb/HT2185
- Note that the iPhone may not like the certificate, but you can choose to use it anyway when creating the profile and it won’t bother you again.