What is the correct way to issue a wildcard certificate?

Question

Hi. I just deployed 3 servers in a lab environment.

Active Directory - windows server 2022

Active Directory Certificate Service - windows server 2022

Exchange - CU 14, last SU. - windows server 2022

3 virtual machines.

I want to issue a wildcard certificate for Exchange and then use it for other services.

What I did: Issued a certificate as described in the documentation: https://learn.microsoft.com/en-us/exchange/architecture/client-access/create-ca-certificate-requests?view=exchserver-2019

It's working just fine.

Now I want to make a wildcard certificate.

Now the owa\ecp web interface does not trust this certificate and says error

on the common name. But if I open the certificate, it has a full chain of trust.

Can you please tell me how to form a wildcard certificate correctly ? I think the article is not updated or there were some changes in Exchange server.

Translated with DeepL.com (free version) UPD: I think I jumped to conclusions.

Answer 1

Hi @Андрей Михалевский,

Great to know that the issue has already been resolved and thanks for sharing the solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others]", I'll repost your solution in case you'd like to "[Accept]" the answer : )     

--------------   

Issue Symptom: 

 owa\ecp web interface does not trust a certificate and says error

Resolution:

Please distribute the root certificate in AD CS. cerutil -f -dspublish path_to_certificate RootCA.

Then reboot.

Answer 2

Hi @Андрей Михалевский,

Welcome to the Microsoft Q&A platform!

 

According to your description, you want to issue a wildcard certificate for Exchange, but the owa\ecp web interface does not trust this certificate and displays an error.

 

After my research, I suggest that you can follow the steps below to issue a wildcard certificate:

1.Purchase or generate a wildcard certificate from a certificate authority (CA). Wildcard certificates usually cover all subdomains of a domain (for example, "*.yourdomain.com").

2.When creating a certificate signing request (CSR), make sure to specify the wildcard domain (for example, "*.yourdomain.com") as the common name (CN). To create a Base64-encoded request file for a wildcard certificate, run the following command:

$txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Contoso.com Wildcard Cert" -SubjectName "C=US,CN=*.contoso.com"

[System.IO.File]::WriteAllBytes('\FileServer01\Data\Contoso Wildcard Cert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

3.Submit the CSR to the CA of your choice to obtain a wildcard certificate.

certreq -submit -attrib CertificateTemplate:Webserver

4.Import the certificate using the Exchange Management Shell (EMS):

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path “C:\Path\To\Your\Certificate.pfx” ​​-Encoding Byte -ReadCount 0)) -password (ConvertTo-SecureString -String 'YourPfxPassword' -AsPlainText -force)

5.Assign the new wildcard certificate to the desired Exchange services (SMTP, IMAP, POP, IIS):

Enable-ExchangeCertificate -Thumbprint [YourCertificateThumbprint] -Services “SMTP, IMAP, POP, IIS”

6.Use the EMC (Exchange Management Console) or ECP (Exchange Admin Center) to verify that the services are assigned and the wildcard certificate is being used.

7.In DNS Manager, make sure the DNS records are correctly pointing to the servers for the services you are using.

Please feel free to contact me if you have any queries.

Best,

Jake Zhang