September 20, 2012
First we need to create the Certificate Request. There are a few ways to do it but I found this to be the easiest.
Method 1 – Manual
- Click on Start, Run, type mmc and click OK.
- Choose File > Add or Remove Snap-ins
- Select Certificates and Click Add >. When prompted choose Computer account and click Next. Keep it on the local computer and click Finish.
- Expand Personal > Certificates. Right click on Certificates and choose All Tasks > Advanced Operations > Create Custom Request.
- Click Next, then Next again. Choose “(No template) Legacy key” for the template, keep it as PKCS #10. Click Next.
- Click on the down arrow next to details, then properties.
- Under General enter a name that will identify this certificate, and a description if you want to.
- Under Subject choose the type: Common name and enter in what your customers will be going to i.e. mail.domain.com
- Because this is Exchange, under the Alternative name: section choose DNS from type. Enter in the FQDN for any of your Client Access servers, to be safe I also include the Edge Transport servers. You can, if you want to, include IP Address for the IP addresses on all of the Client Access servers.
- Under Extensions expand the Key usage add in Data encipherment, and Key encipherment. Under Extended Key Usage (application policies) add Server Authentication and Client Authentication.
- Under the Private Key tab expand the Cryptographic Service Provider and make sure “Microsoft RSA SChanel Cryptographic Provider (Encryption)”. If you would like to under Key options check “Make private key exportable”. Under Key type choose Exchange, do not leave it on Signature.
- Click OK, then click Next. Enter a file name, make sure it is Base 64, then click Finish.