SUMMARY

This step-by-step article describes how to install and use certificates for use with Exchange 2000.

Exchange 2000 incorporates a number of virtual servers that are responsible for servicing inbound and outbound connections for a number of standard Internet services. These services are:

• Post Office Protocol version 3 (POP3)
• Internet Message Access Protocol version 4 (IMAP4)
• Simple Mail Transfer Protocol (SMTP)
• Network News Transfer Protocol (NNTP)

You can install certificates on these virtual servers to permit the use of encrypted communication.

NOTE: Exchange 2000 also includes a Hypertext Transfer Protocol (HTTP) virtual server. However, you configure this virtual server by using Internet Services Manager. This procedure in not described in this article.

back to the top

Requirements

The following list outlines the recommended hardware, software, network infrastructure, and service packs that you need:

• Microsoft Windows 2000 Server with Service Pack 2 (SP2)
• Active Directory
• Exchange 2000 Server with Service Pack 1 (SP1)
• Microsoft Outlook Express 5 or later (for testing purposes)

This article assumes that you are familiar with the following topics:

• Exchange System Manager
• TCP/IP
• Configuring and using Microsoft Network Monitor, including setting up capture filters.

back to the top

What Is a Certificate?

A certificate is the basis of providing security between two parties over public networks. Certificates are digitally signed statements that contain a public key and the name of the owner or subject of the certificate. Certificates are also signed by the issuing body or certification authority (CA). If the CA signs the certificate, the CA confirms that the private key that is associated with the certificate's public key is in the possession of the user named in the certificate.

Certificates provide a mechanism for establishing a relationship between a public key and the entity that owns the corresponding private key. Most certificates are based on the International Telecommunication Union, Telecommunication Standardization Sector (ITU-T) X.509 version 3 standard.

You can use certificates to perform the following tasks:

• Securing communications between two users or computers to prevent unauthorized viewing of the transmitted message or file content.
• Digitally signing an electronic exchange (such as a file transfer or message) to verify that it has not been changed in transit.
• Verifying an individual or a computer's identity.
• Encrypting data contained in a storage system, such as on a hard disk or tape.
• Certifying that a file such as a device driver has been approved and has not been changed between the testing and installation process.

Typically, certificates use the .cer extension and have the same properties as other files on the computer. Typically, certificates reside in certificate stores on the computer. Windows 2000 includes certificates from a number of public X.509 version 3 CAs, such as VeriSign, Thawte and SecureNet. Windows 2000 also has a built-in X.509 version 3-compliant Certificate Server service, which permits you to create your own CA and distribute certificates for use both in your organization and by external clients or computers. This functionality gives you flexibility when you deploy certificates.

back to the top

How to Use Certificates with Virtual Servers

This section is provided to help you understand why you might want to use certificates with your virtual servers.

back to the top

Post Office Protocol version 3 Virtual Servers and Internet Message Access Protocol version 4 Virtual Servers

The POP3 virtual servers and IMAP4 virtual servers provide the necessary services for POP3 clients or IMAP4 client such as Microsoft Outlook Express to obtain e-mail messages from your Exchange 2000 computer. You may want to use POP3 or IMAP4 to obtain e-mail messages from Exchange 2000 if connection speeds are very slow and users do not require the full functionality of the Outlook client program.

However, the POP3 and IMAP4 protocols use clear text for sending messages and for authentication. If you add a certificate to the POP3 virtual servers or IMAP4 virtual servers, you can offer Secure Sockets Layer (SSL) encryption, and make sure that both the authentication sequence and message bodies are encrypted throughout transit across public networks.

back to the top

Simple Mail Transfer Protocol Virtual Servers

SMTP virtual servers provide the following services, either on their own or in conjunction with an SMTP connector:

• Mail collection and delivery to and from external SMTP servers.
• Mail routing between Exchange Server routing groups.
• Receiving mail from POP3/IMAP4 clients.

These requirements may be mutually exclusive; this is because you cannot configure the SMTP virtual server that sends and receives mail to and from external domains by means of the Exchange SMTP connector to use SSL encryption. Most SMTP servers on the Internet do not support SSL. However, if you use SMTP as the POP3 and IMAP4 e-mail message delivery mechanism, you must encrypt these transactions, particularly if you have already configured SSL for the POP3 or IMAP4 e-mail message collection process.

Microsoft recommends that you create separate SMTP virtual servers, one for use with Exchange Server routing groups and one for POP3 and IMAP4 e-mail message delivery, and that you configure both virtual server with certificates and SSL. After you do so, you can use the default SMTP virtual server to connect to external domains by means of the SMTP connector.

back to the top

Hypertext Transfer Protocol Virtual Servers

Typically, you use certificates with Hypertext Transfer Protocol (HTTP) virtual servers to provide support for users who obtain their e-mail messages by means of Microsoft Outlook Web Access (OWA). For this purpose, it may be best to obtain a third-party certificate. With a third-party certificate, users can connect to their mailboxes from public computers, such as those in kiosks or Internet cafes.

back to the top

Network News Transfer Protocol Virtual Servers

Use certificates with NNTP virtual servers if the following conditions are true:

• You have clients that connect to Exchange 2000 public folders by using NNTP.
• You use NNTP to replicate public folders between organizations.

Typically, connections to USENET newsgroup servers do not support authentication or encryption, therefore if you use certificates with NNTP, you must create a second NNTP virtual server for this purpose.

back to the top

How to Select a Certificate Source

When you obtain certificates to use with your virtual servers, you have three choices:

• You can purchase individual certificates from an external CA
• You can become a subordinate CA to an External CA
• You can implement and maintain your own root CA structure

You may have to combine these approaches, for example, you can create your own CA structure and purchase individual certificates from an external CA.

back to the top

How to Purchase Certificates from an External Certification Authority

You can apply to an external CA such as VeriSign or Thawte for certificates that are verified by one of the root certificates that are installed with Windows 2000. Purchase individual certificates from an external CA if the following conditions are true:

• You want to provide secure connectivity to general Internet users (such as in an e-commerce environment).
• You want to support users who have to connect from public computers, for example, in kiosks or Internet cafes.
• You cannot or you do not want to support your own CA environment.

Typically, the cost of a certificate starts at approximately $600 (US currency), which makes this the least expensive method to obtain just one certificate. For example, if you purchase a certificate in this manner, employees can securely connect to their mailbox from any computer running Windows and Microsoft Internet Explorer 4.0 or later.

back to the top

How to Become a Subordinate Certification Authority to an External Certification Authority

To complete this approach, you set yourself up as a subordinate CA that is certified by an external CA. This means that you can issue multiple certificates that are trusted because they are linked to publicly available certificates instead of purchasing each certificate separately. However, you still must maintain your own CA structure; the approval process requires three to six months and costs a minimum of $50,000 (US currency). For example, Microsoft is a subordinate CA certified by VeriSign.

Consider becoming a subordinate CA if the following conditions are true:

• You want to provide a large number of publicly available certificates, for example for code-signing device drivers.
• You can provide the expertise and support to implement and manage a subordinate CA.
• You want the freedom to create, manage, and revoke publicly usable certificates.

back to the top

How to Implement and Maintain Your Own Root Certification Authority Structure

Create your own root CA structure if the following conditions are true:

• You can create a reliable and effective root CA, and have the equipment to do so.
• You provide connectivity only to users in your own organization or to a limited number of external clients, customers, or computers.
• You use certificates to identify individuals by associating a certificate with a particular logon account.
• You want the maximum freedom and flexibility to create, assign and revoke certificates without reference to any external organization.

If you implement and maintain a CA structure, (not a trivial operation) it requires the computers that issue and maintain certificates must always be available. For more information about how to install and configure a certificate server, see the Microsoft Windows 2000 Server Resource Kit and the Windows 2000 Help.

You can mix these approaches, for example, you can use an external CA for your public e-commerce Web site and use your own CA to verify your employees' identities when they connect to your Exchange Server computer by means of the Internet.

After you obtain your certificate or set up your CA, you must install the certificates on the Exchange Server virtual servers. This procedure is generally the same for all server types, except for the HTTP virtual server. To install certificates on the POP3, IMAP4, SMTP and NNTP virtual servers, use Exchange System Manager. To configure HTTP virtual servers, use Internet Services Manager (this procedure is not described in this article).

back to the top

How to Request a Certificate from an External Certification Authority

This procedure describes how to install certificates from an external CA in a situation where a certificate request must be prepared and sent to the external CA. You must process the certificate file in a separate sequence.

NOTE: The following procedure applies to the POP3, IMAP4, SMTP and NNTP protocols only. This article does not describe how to configure HTTP for SSL.

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane of Exchange System Manager, double-click Servers.
3. Click the Exchange Server computer that you want to configure, and then double-click the Protocols container.
4. For each protocol that you want to configure, double-click the relevant object.
5. Right-click the Default (protocol name) virtual server object, and then click Properties.
6. Click the Access tab, and then click the Certificate button.
7. After the IIS Certificate Wizard starts, click Create a new certificate, and then click Next.
8. Click Prepare the request now, but send it later, and then click Next.
9. Either assign an appropriate name to the certificate or accept the default setting of Default (protocol name) Virtual Server, select a bit length, and then click Next.NOTE: Longer key lengths affects performance (which can be more expensive).
   

1. Type the organization and organizational unit information for the CA from which you want to request a certificate, and then click Next. This information is typically available from CA's Web site or the information is sent to you when you register with the CA.
   

1. Enter the common name for your site, and the click Next.NOTE: If you want to allow access from the Internet, this name must be an externally resolvable fully qualified domain name (FQDN) that maps to the Internet Protocol (IP) address that is linked to the virtual server.
   

1. On the Geographical Information page, type the Country/Region, State/province and City/locality information as appropriate for your organization, and then click Next.
2. Either type a name and a path for the location in which you want to create the certificate or accept the default file name, and then click Next.
3. Review the information on the Request File Summary page, and then click Next.
4. The final page confirms that a certificate with the specified file name has been created. The default setting is drive name:\certreq.txt.
5. Click Finish.

back to the top

How to Install a Certificate from an External Certification Authority

Send the certificate request file that you created in the previous section to your CA. Alternatively, your CA may have a Web-based interface that permits you to submit the certificate request. You receive a file that has a .cer file name extension. After you receive this file, restart the Certificate Wizard to install this certificate.

1. On the virtual server that you used in the previous section, click Properties, click the Access tab, and then click the Certificate button.
2. After the Certificate Wizard restarts and you receive notification that you have a pending certificate request, click Next.
3. On the Pending Certificate Request page, click Process the pending request and install the certificate, and then click Next.
4. In the Process a Pending Request, type the path to the certificate that you received from the external CA.
5. Review the Certificate Summary page, and then click Next.
   

The information that is contained in the certificate, which includes who issued the certificate, when the certificate expires, what the certificate is to be used for, and the certificate friendly name are displayed on the Certificate Summary page.

1. After you receive notification that the certificate is successfully installed on the virtual server, click Finish.

back to the top

How to Install a Certificate from a Microsoft Certificate Server

If you have installed Microsoft Certificate Server services on Windows 2000 either as a root CA or as a subordinate CA, you can send your certificate server request to the online CA directly.

NOTE: You can only send a request to an online CA if you have installed the CA in Active Directory as an enterprise CA, instead of as a stand-alone CA.

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane of Exchange System Manager, double-click Servers.
3. Select the Exchange Server computer that you want to configure, and then double-click the Protocols container.
4. For each protocol that you want to configure, double-click the relevant object.
5. Right-click the Default (protocol name) virtual server object, and then click Properties.
6. Click the Access tab, and then click the Certificate button..
7. After the IIS Certificate Wizard starts, click Create a new certificate, and then click Next.
8. On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
9. Assign an appropriate name to identify this certificate or accept the default name of Default (protocol name) Virtual Server, click a suitable bit length, and then click Next.
   

NOTE: Longer key lengths adversely affect performance.

1. Type the organization and organizational unit information for your server, and then click Next.
2. Type the common name for your site, and then click Next. This matches the DNS fully qualified domain name (FQDN) that maps to the IP address of the relevant protocol virtual server that is to use this certificate. If users are connecting to this virtual server from the Internet, this name must be an externally resolvable FQDN.
   

1. On the Geographical Information page, enter the Country/Region, State/province and City/locality information that is appropriate for your Certification Authority, and then click Next.
2. On the Choose a Certification Authority page, review the online CA for your organization, and then click Next.
3. Review the details that you entered in the wizard on the Certificate Request Submission page, and then click Next. The final page confirms that a certificate is installed on the virtual server that you have selected.
   

1. Click Finish.

back to the top

How to Force Secure Communications

After you install the certificate, you can force secure communications on the POP3, IMAP4 and SMTP protocols.

NOTE: The NNTP protocol does not a have setting to force secure communications.

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane of Exchange System Manager, double-click Servers.
3. Click the Exchange Server computer that you want to configure, and then double-click the Protocols container.
4. For each protocol that you want to enforce security, double-click the relevant object.
5. Right-click the Default (protocol name) virtual server object, and then click Properties.
6. Click the Access tab, and then click the Communication button.
7. Click the Require secure channel box. Additionally, you can click the Require 128-bit encryption box. However, note that both your Exchange Server computer and any client computers that connect must support 128-bit encryption.
   

1. Click OK, and then click OK to accept the changes and close the virtual server properties.

back to the top

How to Confirm That Your Certificate Is Installed Correctly

To confirm that your virtual server is using SSL encryption and that the certificate is installed correctly, configure Outlook Express to connect by using a secure channel, and then use Network Monitor to verify that the protocol packets are encrypted.

1. In Microsoft Outlook Express, click Accounts on the Tools menu.
2. Click the Mail tab (for POP3, IMAP4, or SMTP) or click the News tab (for NNTP).
3. Double-click the Exchange Server account for the relevant protocol, and then click the Advanced tab.
4. Click to select the This server requires a secure connection (SSL) check box. If you select this box, the POP3 port number changes from 110 to 995, the IMAP4 port changes from 143 to 993, the NNTP port changes from 119 to 563, and the SMTP port remains at port 25.
   

1. Click OK to close the Account properties box, and then click Close to return to Outlook Express.
2. Run Network Monitor capture, and then connect to your Exchange Server computer by using the account that you have just set up. When you examine the packets, notice that the packets for the protocol on which you have configured security are encrypted.

back to the top

Troubleshooting

If you are running your own root CA or if you have a subordinate CA, note that if your Certificate Server environment does not respond, you can lose all of certificates that are currently issued and your certificate revocation list. If you lose certificates and the certificate revocation list, your clients cannot connect securely to the protocol virtual servers that configured with those certificates. Therefore, it is important that you decide whether to implement your own CA.

back to the top