What is the correct way to issue a wildcard certificate?

Андрей Михалевский 3,331 Reputation points
2024-07-02T15:18:52.1233333+00:00

Hi. I just deployed 3 servers in a lab environment.

Active Directory - windows server 2022

Active Directory Certificate Service - windows server 2022

Exchange - CU 14, last SU. - windows server 2022

3 virtual machines.

I want to issue a wildcard certificate for Exchange and then use it for other services.

What I did: Issued a certificate as described in the documentation: https://learn.microsoft.com/en-us/exchange/architecture/client-access/create-ca-certificate-requests?view=exchserver-2019

EX01

It's working just fine.

Now I want to make a wildcard certificate.

EX02

Now the owa\ecp web interface does not trust this certificate and says error

on the common name. But if I open the certificate, it has a full chain of trust.

Can you please tell me how to form a wildcard certificate correctly ? I think the article is not updated or there were some changes in Exchange server.

Translated with DeepL.com (free version) UPD: I think I jumped to conclusions.

EX03

EX4

EX5

EX6

EX07

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,348 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jake Zhang-MSFT 6,700 Reputation points Microsoft Vendor
    2024-07-09T08:31:14.15+00:00

    Hi @Андрей Михалевский,

    Great to know that the issue has already been resolved and thanks for sharing the solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others]", I'll repost your solution in case you'd like to "[Accept]" the answer : )     

    --------------   

    Issue Symptom: 

     owa\ecp web interface does not trust a certificate and says errorEX03

    Resolution:

    Please distribute the root certificate in AD CS. cerutil -f -dspublish path_to_certificate RootCA.

    Then reboot.


1 additional answer

Sort by: Most helpful
  1. Jake Zhang-MSFT 6,700 Reputation points Microsoft Vendor
    2024-07-03T07:03:11.78+00:00

    Hi @Андрей Михалевский,

    Welcome to the Microsoft Q&A platform!

     

    According to your description, you want to issue a wildcard certificate for Exchange, but the owa\ecp web interface does not trust this certificate and displays an error.

     

    After my research, I suggest that you can follow the steps below to issue a wildcard certificate:

    1.Purchase or generate a wildcard certificate from a certificate authority (CA). Wildcard certificates usually cover all subdomains of a domain (for example, "*.yourdomain.com").

    2.When creating a certificate signing request (CSR), make sure to specify the wildcard domain (for example, "*.yourdomain.com") as the common name (CN). To create a Base64-encoded request file for a wildcard certificate, run the following command:

    $txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Contoso.com Wildcard Cert" -SubjectName "C=US,CN=*.contoso.com"

    [System.IO.File]::WriteAllBytes('\FileServer01\Data\Contoso Wildcard Cert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

    3.Submit the CSR to the CA of your choice to obtain a wildcard certificate.

    certreq -submit -attrib CertificateTemplate:Webserver

    4.Import the certificate using the Exchange Management Shell (EMS):

    Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path “C:\Path\To\Your\Certificate.pfx” ​​-Encoding Byte -ReadCount 0)) -password (ConvertTo-SecureString -String 'YourPfxPassword' -AsPlainText -force)

    5.Assign the new wildcard certificate to the desired Exchange services (SMTP, IMAP, POP, IIS):

    Enable-ExchangeCertificate -Thumbprint [YourCertificateThumbprint] -Services “SMTP, IMAP, POP, IIS”

    6.Use the EMC (Exchange Management Console) or ECP (Exchange Admin Center) to verify that the services are assigned and the wildcard certificate is being used.

    7.In DNS Manager, make sure the DNS records are correctly pointing to the servers for the services you are using.

    User's image

    Please feel free to contact me if you have any queries.

    Best,

    Jake Zhang


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.