Using a Commercial Web Site Certificate to Publish Outlook Web Access (OWA) Part 2

Using a Commercial Web Site Certificate to Publish Outlook Web Access (OWA) Part 2
by Thomas W Shinder MD, MVP


Have Questions about the article? 
Ask at: http://tinyurl.com/b7exn

 

If you missed the other parts of this series, then check them out at:

In part 1 of this series on how to use commercial Web site certificate to publish your corporate OWA site, I went over the basics of SSL to SSL bridging and how the ISA firewall brings a much higher level of security to your OWA remote access solution compared to a conventional “hardware” firewalls. After making the security advantages of the ISA firewall abundantly clear, we then went over the reasons why you would want to use a commercial Web site certificate instead of a privately generated certificate. We finished up by providing the roadmap for the overall commercial Web site certificate OWA publishing solution presented in this series.

In this, part 2 of our four part series, we’ll go over the following procedures:

  • Create a Web site certificate request on the OWA Server
    In order to obtain a Web site certificate from the commercial CA, we need to generate a certificate request file. In this step, we’ll create the certificate request file that we’ll submit to the commercial CA.
  • Obtain the Web site certificate from the commercial certificate authority
    After creating the certificate request file, you’re ready to send that file to the commercial CA. The commercial CA will use the information in this file to generate the new Web site certificate that you’ll subsequently bind to the ISA firewall’s Web listener so that the ISA firewall can impersonate the OWA Web site.
  • Install the Commercial Web Site Certificate and CA Certificates on the OWA Site
    The commercial CA will send us either a text string or a certificate file. We’ll use the text string or file to install the commercial Web site certificate on the OWA Web site on the corporate network. Later we will export this certificate to a file so that we can copy that file to the ISA firewall and install the commercial Web site certificate into the ISA firewall’s machine certificate store.

Let’s get started!

Create a Web Site Certificate Request on the OWA Server

As I mentioned in part 1 of the series, we’re going to try something new by providing a road map of where you are in the configuration path. In long articles that contain multiple configuration procedures on multiple machines, its very easy to get lost. So, I’m going to try out a new configuration road map in articles I write that contain many configuration procedures on multiple machines.

Please let me know what you think of this feature and let me know if you have suggestions for making it even more useful. Please use the discussion link for this article, which you’ll find in several places on this page.

You are here:


Figure 1: You are here

The first step is to create a Web site certificate request. This will end up creating a text file that you’ll use to submit your request to the commercial CA. The text file has all the information required by the commercial CA to issue you a Web site certificate.

We’ll create the certificate request file on the Exchange Server using the IIS Certificate Request Wizard. There are other ways to do this, but I find this the easiest, most straightforward, and least likely to generate errors. The common name on the certificate will be mail.msfirewall.org because this will be the name external users who access the OWA site will use to access the OWA site through the ISA firewall.

Create the Web Site Certificate Request File

Perform the following steps on the Exchange Server to create the certificate request file:

  1. Click Start and then point to Administrative Tools. Click Internet Information Services.
  2. In the Internet Information Services console, expand the server name and then expand the Web Sites node. Right click the Default Web Site and click Properties.
  3. In the Default Web Site Properties dialog box, click the Directory Security tab.
  4. On the Directory Security tab, click the Server Certificate button in the Secure communications frame.
  5. Click Next on the Welcome to the Web Server Certificate Wizard page.
  6. On the Server Certificate page, select the Create a new certificate option and click Next.


Figure 2

  1. On the Delayed or Immediate Request page, select the Prepare the request now, but send it later option. The reason why we select this option is that we won’t be using our enterprise CA to obtain the certificate. Instead, we will use this option to create a certificate request text file that we will use to obtain the certificate from the commercial CA. Click Next.


Figure 3

  1. On the Name and Security Settings page, enter a name for the certificate in the Name text box. In this example, we’ll name the certificate Commercial Web Site Certificate and click Next. Note that this is not the common/subject name on the certificate. It’s just a name we use to make its purpose easily recognizable when looking at certificates in the Certificates MMC console. Click Next.
  2. Enter your organization’s name and OU’s name on the Organizational Information page and click Next.
  3. On the Your Site’s Common Name page, you enter the common/subject name that will appear on the Web site certificate. This is an extremely important setting, because the name you enter in the Common name text box must match the name that external users will use to access the OWA Web site through the ISA firewall. In our current example, external users will use the name mail.msfirewall.org to reach the OWA Web site, so you enter that into the Common name text box. Click Next.


Figure 4 — NOTE IN THE FIGURE ABOVE THAT THERE IS A TYPO. THE COMMON NAME SHOULD BE MAIL.MSFIREWALL.ORG

  1. Enter your State/province and City/locality information on the Geographical Information page and click Next.
  2. On the Certificate Request File Name page, the name of the certificate request text file appears in the File name text box. The default name of the file is certreq.txt and it will be placed in the root of the C: drive. Accept the default name and click Next.
  3. Review the information on the Request File Summary page and click Next.
  4. Click Finish on the Completing the Web Server Certificate Wizard page.
  5. You can leave the Default Web Site Properties dialog box open, as we’ll be returning to this later after we get our commercial Web site certificate from the commercial CA.

Obtain the Web site Certificate from the Commercial CA


Figure 5: You are here

The next step is to obtain the commercial Web site certificate from a commercial CA. At this point you’re pretty much on your own, as each commercial CA will have a different procedure that you’ll go through.

For this article, I obtained a trial Web site certificate from Verisign. The trial certificate is good for 14 days. If you’re interested in obtaining a trial certificate from Verisign so that you can test this solution yourself in a lab environment, check it out at http://www.verisign.com/products-services/security-services/ssl/buy-ssl-certificates/free-trial/

WARNING:
Be careful about the name you use when asking for the trial certificate. When I asked for a certificate using the common/subject name of www.msfirewall.org to use for some early testing before doing this article, I found that I could not make a request for the same common/subject name to the Verisign site. This has the potential for making things more complicated than they need to be

The process is painless and quite simple. Verisign will ask you to fill out some personal identifying information such as name, address, and phone number. They will also ask you what you want the common name to be on the certificate. Remember, this is a critical setting and you must tell them the same common name that you used when you generated the certificate request using the IIS Certificate Request Wizard.

You will be asked to copy the contents of the certreq.txt file you created into a text box in the Web interface Verisign provides you. After you complete the process, they will send you an e-mail message that contains a text string that you will need to save to a text file on the OWA server. Once you reach this point, you’ll be ready for the next step.

Have Questions about the article? 
Ask at: http://tinyurl.com/b7exn

Install the Commercial Web Site Certificate and CA Certificates on the OWA Site


Figure 6: You are here

Now that you have your commercial certificate you’re ready to install it on the OWA site. There following procedures will focus on the scenario that I’m working with using the Verisign trial certificate. Some commercial CAs will provide you with a certificate file instead of text string. The procedures are similar to what we’ll do below, but you’ll make slightly different choices. I think you’ll be able to figure them out as you go through the wizard. If you have problems, make sure to post on the ISAserver.org Web boards http://forums.isaserver.org so that me and the rest of the ISAserver.org community can help you out with it.

At this point I have copied the certificate text string from the e-mail message Verisign sent to me and copied it to a text file named commcer.txt and we’ll use that file to install the certificate.

Install the Commercial Web Site Certificate on the OWA Server

Perform the following steps to install the commercial Web site certificate on the OWA computer:

  1. If you’ve been following the steps in this article, then the Default Web Site Properties dialog box is still open. If you stepped away from the lab, then make sure to open the IIS console and open the Properties of the default Web site and then click the Directory Security tab.
  2. Click the Server Certificate button in the Secure communications frame.
  3. Click Next on the Welcome to the Web Server Certificate Wizard page.
  4. On the Pending Certificate Request page, select the Process the pending request and install the certificate option and click Next.


Figure 7

  1. On the Process a Pending Request page, click the Browse button to locate and certificate and then click Next.


Figure 8

  1. On the SSL Port page, accept the default 443 value and click Next.

  2. Review the information on the Certificate Summary page and click Next.


Figure 9

  1. Click Finish on the Completing the Web Server Certificate Wizard page.
  2. In the Default Web Site Properties dialog box, click the View Certificate button.
  3. On the General tab of the Certificate dialog box you’ll notice that it says Windows does not have enough information to verify this certificate. Click on the Certification Path tab.
  4. On the Certification Path tab, you’ll notice that there is a yellow warning symbol next to the VeriSign Trial Secure Server Test CA certificate.

The reason for this is that we haven’t downloaded the Test CA Root certificate and installed it on the OWA server’s machine certificate store. We’re going to need to do this before we continue. Note that if you’re using actual live commercial certificates, you won’t have to go through this process. But since we’re using a trial certificate who’s root CA isn’t included automatically in the machine’s Trusted Root Certificates Authorities store, we’re going to have to go through this hoop before we continue.

I know that this seems sort of paradoxical that we have to manually install the CA certificate manually, given the fact that I mentioned earlier that the primary reason for installing commercial certificates is that you don’t need to go through this process. However, just keep in mind that this is an artifact of our lab environment that is using trial certificates and that when you use actual, paid-for live certificates you won’t have to worry about this step.

If you’re using the Verisign trial certificate as I’m using in this example, then you’ll need to perform the following process to get the CA certificate into the OWA machine’s Trusted Root Certification Authorities machine certificate store.

Install the Trial Root CA Certificate in the OWA Server’s Trusted Root Certification Authorities Machine Certificate Store

Perform the following steps to enter the Trial Root CA certificate into the OWA machines Trusted Root Certification Authorities machine certificate store:

  1. At the OWA server, open Internet Explorer and go to http://www.verisign.com/server/trial/faq/index.html
  2. Once you get to the Web page, click the Secure Site Trial Root CA Certificate link.
  3. On the Root CA Certificates page, copy all the text in the text box and paste it into a Notepad document. Save the Notepad document as Trialcert.txt and close Notepad.

Now we need to import the certificate in the text file into the Trusted Root Certificate Authorities machine certificate store:

  1. Click Start and click the Run command.
  2. In the Run dialog box, enter mmc in the Open text box and click OK.
  3. In the new MMC console, click the File menu and click Add/remove Snap-in.
  4. In the Add/Remove Snap-in dialog box, click the Add button.
  5. In the Add Standalone Snap-in dialog box, select the Certificates snap-in and click Add.
  6. On the Certificates snap-in page, click the Computer account option and click Next.
  7. On the Select Computer page, select the Local Computer option and click Finish.
  8. Click Close in the Add Standalone Snap-in dialog box.
  9. Click OK in the Add/Remove Snap-in dialog box.

Now that we have the Certificates snap-in loaded, we can import the certificate.

  1. In the MMC console, expand the Certificates (Local Computer) node and then expand the Trusted Root Certification Authorities node. Click the Certificates node and then right click it. Point to All Tasks and then click Import.
  2. Click Next on the Welcome to the Certificate Import Wizard page.
  3. On the File to Import page, use the Browse button to locate the text file for the CA certificate and click Next.
  4. Click Next on the Certificate Store page.
  5. Click Finish on the Completing the Certificate Import Wizard page.
  6. Click OK in the dialog box informing you that the import was successful.
  7. Return to the Certificates\Personal\Certificates node and double click the commercial Web site certificate. Click the Certification Path tab. You’ll see the entire path is now OK.


Figure 10

  1. Close all the dialog boxes and the MMC console. Do not save the console.

Have Questions about the article? 
Ask at: http://tinyurl.com/b7exn

Summary

In this, part 2 in our series on how to use a commercial Web site certificate on the ISA firewall to publish an internal OWA site, we went through the procedures of creating a Web site certificate request, sending the request to the commercial CA, and then binding that certificate to the OWA Web site on the corporate network. With that work out of the way, we’ll be well positioned to carry out the procedures in part 3 of this series, where we’ll export the commercial Web site certificate from the OWA site and move the certificate to the ISA firewall. It’s going to be great fun so be sure not to miss part 3 of this series, coming up next week!

If you missed the other parts of this series, then check them out at:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top