How to Use Certificates with Virtual Servers in Exchange Server 2003

This step-by-step article describes how to install and to use certificates with Exchange Server 2003. Exchange Server 2003 incorporates a number of virtual servers that are responsible for servicing inbound and outbound connections for a number of standard Internet services. These services are:

• Post Office Protocol version 3 (POP3)
• Internet Message Access Protocol version 4 (IMAP4)
• Simple Mail Transfer Protocol (SMTP)
• Network News Transfer Protocol (NNTP)

You can install certificates on these virtual servers to permit the use of encrypted communication.

Note Exchange Server 2003 also includes a Hypertext Transfer Protocol (HTTP) virtual server. However, you configure this virtual server by using Internet Services Manager. This procedure in not described in this article. For additional information about how to use Internet Services Manager to configure a Hypertext Transfer Protocol virtual server, click the following article number to view the article in the Microsoft Knowledge Base:

Requirements

The following list outlines recommended hardware, software, network infrastructure, and service packs:

• Microsoft Windows 2000 Server with Service Pack 3 (SP3)
• Microsoft Active Directory directory service
• Exchange Server 2003
• Microsoft Outlook Express 5 or later (for testing purposes)

This article assumes that you are familiar with the following topics:

• Exchange System Manager
• TCP/IP
• How to configure and to use Microsoft Network Monitor, and how to set up capture filters

What Is a Certificate?

A certificate is used to help secure the connection between two parties over public networks. Certificates are digitally signed statements that contain a public key and the name of the owner or the subject of the certificate. Certificates are also signed by the issuing body or the certification authority (CA). If the CA signs the certificate, the CA confirms that the private key that is associated with the certificate's public key is in the possession of the user who is named in the certificate.

Certificates provide a mechanism for establishing a relationship between a public key and the entity that owns the corresponding private key. Most certificates are based on the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) X.509 version 3 standard.

You can use certificates to perform the following tasks:

• To provide security-enhanced communication between two users or two computers to help prevent unauthorized viewing of the message or the file content that is transmitted.
• To digitally sign an electronic exchange (such as a file transfer or a message) to verify that it has not been changed in transit.
• To verify an individual's identity or a computer's identity.
• To encrypt data that is contained in a storage system, such as on a hard disk or on a tape.
• To certify that a file such as a device driver has been approved and has not been changed between the testing and the installation processes.

Typically, certificates use the .cer extension and have the same properties as other files on the computer. Typically, certificates reside in certificate stores on the computer. Windows 2000 includes certificates from a number of public X.509 version 3 CAs, such as VeriSign, Thawte, and SecureNet. Windows 2000 also has a built-in Certificate Server service that is compliant with X.509 version 3. The Certificate Server service permits you to create your own CA and distribute certificates for use both in your organization and by external clients or computers. This functionality gives you flexibility when you deploy certificates.

How to Use Certificates with Virtual Servers

Post Office Protocol Version 3 Virtual Servers and Internet Message Access Protocol Version 4 Virtual Servers

The POP3 virtual servers and the IMAP4 virtual servers provide the services that POP3 clients or IMAP4 clients (such as Microsoft Outlook Express) require to obtain e-mail messages from your Exchange Server 2003 computer. You may want to use POP3 or IMAP4 to obtain e-mail messages from Exchange Server 2003 if connection speeds are very slow and if users do not require the full functionality of the Outlook client program.

However, POP3 and IMAP4 use clear text for sending messages and for authentication. If you add a certificate to the POP3 virtual servers or the IMAP4 virtual servers, you can offer Secure Sockets Layer (SSL) encryption. When you use SSL encryption, both the authentication sequence and the message bodies are encrypted throughout transit across public networks.

Simple Mail Transfer Protocol Virtual Servers

SMTP virtual servers provide the following services, either on their own or in conjunction with an SMTP connector:

• Mail collection and delivery to and from external SMTP servers.
• Mail routing between Exchange Server routing groups.
• Mail reception from POP3/IMAP4 clients.

You may not be able to configure the SMTP virtual server that sends and that receives mail with external domains by using the Exchange SMTP connector and SSL encryption. Most SMTP servers on the Internet do not support SSL encryption; however, if you use SMTP as the POP3 and the IMAP4 e-mail message delivery mechanism, you must encrypt these transactions. This is particularly true if you have already configured SSL for the POP3 or the IMAP4 e-mail message collection process.

Microsoft recommends that you create two separate SMTP virtual servers for use with Exchange Server routing groups and for POP3 and IMAP4 e-mail message delivery. If you configure both of the virtual servers with certificates and SSL encryption, you can use the default SMTP virtual server to connect to external domains by means of the SMTP connector.

Hypertext Transfer Protocol Virtual Servers

Typically, you use certificates with Hypertext Transfer Protocol (HTTP) virtual servers to provide support for users who use Microsoft Outlook Web Access (OWA) to retrieve their e-mail messages. For this purpose, it may be best to obtain a third-party certificate. With a third-party certificate, users can connect to their mailboxes from public computers, such as those that you can find in kiosks or in Internet cafes.

Network News Transfer Protocol Virtual Servers

Use certificates with NNTP virtual servers if the following conditions are true:

• You have clients that connect to Exchange Server 2003 public folders by using NNTP.
• You use NNTP to replicate public folders between organizations.

Typically, connections to Usenet newsgroup servers do not support authentication or encryption. If you use certificates with NNTP, you must create a second NNTP virtual server for this purpose.

How to Select a Certificate Source

When you obtain certificates to use with your virtual servers, you have three choices:

• You can purchase individual certificates from an external CA.
• You can become a subordinate CA to an external CA.
• You can implement and maintain your own root CA structure.

You may have to combine these approaches. For example, you can create your own CA structure and purchase individual certificates from an external CA.

How to Purchase Certificates from an External Certification Authority

You can apply to an external CA such as VeriSign or Thawte for certificates that are verified by one of the root certificates that are installed with Windows 2000. Purchase individual certificates from an external CA if the following conditions are true:

• You want to provide security-enhanced connectivity to general Internet users (such as in an e-commerce environment).
• You want to support users who have to connect from public computers, for example, in kiosks or Internet cafes.
• You cannot or you do not want to support your own CA environment.

Typically, the cost of a certificate starts at approximately $600 (US currency), making this the least expensive method to obtain just one certificate. For example, if you purchase a certificate in this manner, employees can access their mailbox over a security-enhanced connection from any computer that runs Windows and Internet Explorer 4.0 and later.

How to Become a Subordinate Certification Authority to an External Certification Authority

To complete this approach, you set yourself up as a subordinate CA that is certified by an external CA. This means that you can issue multiple certificates that are trusted because they are linked to publicly available certificates instead of purchasing each certificate separately. You must still maintain your own CA structure. The approval process requires three to six months, and costs a minimum of $50,000 (US currency). For example, Microsoft is a subordinate CA that is certified by VeriSign.

Consider becoming a subordinate CA if the following conditions are true:

• You want to provide many publicly available certificates; for example, for code-signing device drivers.
• You can provide the expertise and the support to implement and to manage a subordinate CA.
• You want the freedom to create, to manage, and to revoke publicly usable certificates.

How to Implement and to Maintain Your Own Root Certification Authority Structure

Create your own root CA structure if the following conditions are true:

• You can create a reliable and effective root CA, and have the equipment to do so.
• You provide connectivity only to users in your own organization or to a limited number of external clients, customers, or computers.
• You use certificates to identify individuals by associating a certificate with a particular logon account.
• You want the maximum freedom and flexibility to create, to assign, and to revoke certificates without reference to any external organization.

If you implement and maintain a CA structure (not a trivial operation), it requires the computers that issue and that maintain certificates to always be available. For more information about how to install and to configure a certificate server, see the Microsoft Windows 2000 Server Resource Kit and Windows 2000 Help.

You may want to consider a mix of both an external CA and your own CA to address your requirements. For example, you can use an external CA for your public e-commerce Web site and use your own CA to verify your employees' identities when they connect to your Exchange Server computer over the Internet.

After you obtain your certificate or you set up your CA, you must install the certificates on the Exchange Server virtual servers. This procedure is generally the same for all server types, except for the HTTP virtual server. To install certificates on the POP3, IMAP4, SMTP, and NNTP virtual servers, use Exchange System Manager. To configure HTTP virtual servers, use Internet Services Manager (this procedure is not described in this article).

How to Request a Certificate from an External Certification Authority

This procedure describes how to install certificates from an external CA in a situation where a certificate request must be prepared and sent to the external CA. You must process the certificate file in a separate sequence.

Note The following procedure only applies to POP3, IMAP4, SMTP and NNTP. This article does not describe how to configure HTTP for SSL.

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. If the Display administrative groups option is turned on, expand Administrative Groups, and then expand First Administrative Group (where First Administrative Group is the name of your administrative group).
   
   Note To display administrative groups, right-click Your_Organization, click Properties, click to select the Display administrative groups check box, click OK two times, and then restart Exchange System Manager.
3. Expand Servers, expand the Exchange Server container that you want to configure, and then expand the Protocols container.
4. Expand each protocol that you want to configure, right-click the Default Protocol_Name virtual server object, and then click Properties.
5. Click the Access tab, and then click Certificate.
6. In Web Server Certificate Wizard, click Next, click Create a new certificate, and then click Next.
7. Click Prepare the request now, but send it later, and then click Next.
8. Either type an appropriate name for the certificate in the Name box, or leave the default setting of Default Protocol_Name Virtual Server.
9. In the Bit Length list, click the bit length that you want to use, and then click Next.
   
   Note A longer key length will affect performance and, as a result, can be considered more expensive.
10. In the Organization box and the Organizational unit box, type the organization and the organizational unit information for the CA where you want to request a certificate, and then click Next.
    
    This information is typically available from the CA's Web site or the information is sent to you when you register with the CA.
11. In the Common name box, type the common name for your site, and then click Next.
    
    Note If you want to allow access from the Internet, this name must be a fully qualified domain name (FQDN) that can be resolved externally. This FQDN must map to the IP address that is linked to the virtual server.
12. In the Country/Region list, click your country or your region name.
13. In the State/Province box, and in the City/Locality box, type the information that is appropriate for your organization, and then click Next.
14. In the File name box, do one of the following:
    • Type a name and a path for the location where you want to create the certificate.
    • Leave the default file name in this box.
15. Click Next.
16. Review the information that is on the Request File Summary page. If something is not correct, click Back until you reach the page that must be corrected, and then click Next until you return to the Request File Summary page, and then click Next.
17. The final page confirms that a certificate with the specified file name has been created. The default setting is drive name:\certreq.txt.
18. Click Finish.

How to Install a Certificate from an External Certification Authority

Send the certificate request file that you created in the previous section to your CA. As an alternative, your CA may have a Web-based interface that permits you to submit the certificate request. You receive a file that has a .cer extension. After you receive this file, restart Web Server Certificate Wizard to install this certificate. To do this, follow these steps:

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. If the Display administrative groups option is turned on, expand Administrative Groups, and then expand First Administrative Group (where First Administrative Group is the name of your administrative group).
   
   Note To display administrative groups, right-click Your_Organization, click Properties, click to select the Display administrative groups check box, click OK two times, and then restart Exchange System Manager.
3. Expand Servers, expand the Exchange Server container that you want to configure, and then expand the Protocols container.
4. Expand each protocol that you want to configure, right-click the Default Protocol_Name virtual server object, and then click Properties.
5. Click the Access tab, and then click Certificate.
6. After Web Server Certificate Wizard restarts and you receive notification that you have a pending certificate request, click Next.
7. On the Pending Certificate Request page, click Process the pending request and install the certificate, and then click Next.
8. In the Process a Pending Request box, type the path of the certificate that you received from the external CA.
9. Review the Certificate Summary page, and then click Next.
   
   The information that is contained in the certificate includes who issued the certificate, when the certificate expires, what the certificate is to be used for. The certificate friendly name that appears on the Certificate Summary page is also included.
10. After you receive notification that the certificate is successfully installed on the virtual server, click Finish.

How to Install a Certificate from a Microsoft Certificate Server

If you have installed Certificate Server services on Windows 2000 either as a root CA or as a subordinate CA, you can send your certificate server request to the online CA directly.

Note You can only send a request to an online CA if you have installed the CA in Active Directory as an enterprise CA, instead of a stand-alone CA.

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. If the Display administrative groups option is turned on, expand Administrative Groups, and then expand First Administrative Group (where First Administrative Group is the name of your administrative group).
   
   Note To display administrative groups, right-click Your_Organization, click Properties, click to select the Display administrative groups check box, click OK two times, and then restart Exchange System Manager.
3. Expand Servers, expand the Exchange Server container that you want to configure, and then expand the Protocols container.
4. Expand each protocol that you want to configure, right-click the Default Protocol_Name virtual server object, and then click Properties.
5. Click the Access tab, and then click Certificate.
6. In Web Server Certificate Wizard, click Next, click Create a new certificate, and then click Next.
7. On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
8. In the Name box, type an appropriate name to identify this certificate or accept the default name of Default Protocol_Name Virtual Server.
9. In the Bit Length list, click the bit length you want to use, and then click Next.
   
   Note Longer key lengths adversely affect performance.
10. In the Organization box and the Organizational unit box, type the organization and the organizational unit information for your server, and then click Next.
11. In the Common name box, type the common name for your site, and then click Next.
    
    This matches the DNS fully qualified domain name (FQDN) that maps to the IP address of the relevant protocol virtual server that is to use this certificate. If users are connecting to this virtual server from the Internet, this name must be an externally resolvable FQDN.
12. In the Country/Region list, click your country or your region name.
13. In the State/Province box, and in the City/Locality box, type the information that is appropriate for your organization, and then click Next.
14. On the Choose a Certification Authority page, review the online CA for your organization, and then click Next.
15. Review the details that you entered in the wizard on the Certificate Request Submission page. If something is not correct, click Back until you reach the page that must be corrected, and then click Next until you return to the Request File Summary page, and then click Next.
16. The final page confirms that a certificate is installed on the virtual server that you selected.
17. Click Finish.

How to Turn On the Require Secure Channel Option

After you install the certificate, you can turn on the Require Secure Channel option for the POP3, IMAP4, and SMTP protocols.

NoteThe NNTP protocol does not have a setting to turn on the Require secure channel option.

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. If the Display administrative groups option is turned on, expand Administrative Groups, and then expand First Administrative Group (where First Administrative Group is the name of your administrative group).
   
   Note To display administrative groups, right-click Your_Organization, click Properties, click to select the Display administrative groups check box, click OK two times, and then restart Exchange System Manager.
3. Expand Servers, expand the Exchange Server container that you want to configure, and then expand the Protocols container.
4. Expand each protocol that you want to configure, right-click the Default Protocol_Name virtual server object, and then click Properties.
5. Click the Access tab, and then click Certificate.
6. Click to select the Require secure channel check box.
   
   Additionally, you can click to select the Require 128-bit encryption box. However, both your Exchange Server computer and any client computers that connect must support 128-bit encryption.
7. Click OK, and then click OK to accept the changes and to close the virtual server properties.

How to Confirm That Your Certificate Is Installed Correctly

To confirm that your virtual server is using SSL encryption and that the certificate is installed correctly, configure Outlook Express to connect by using a security-enhanced channel, and then use Network Monitor to verify that the protocol packets are encrypted. To do this, follow these steps:

1. In Microsoft Outlook Express, click Tools, and then click Accounts.
2. Click either the Mail tab (for POP3, IMAP4, or SMTP) or the News tab (for NNTP).
3. Double-click the Exchange Server account for the relevant protocol, and then click the Advanced tab.
4. Click to select the This server requires a secure connection (SSL) check box.
   
   If you select this box, the POP3 port number changes from 110 to 995, the IMAP4 port changes from 143 to 993, the NNTP port changes from 119 to 563, and the SMTP port remains at port 25.
5. Click OK, and then click Close.
6. Run Network Monitor capture, and then connect to your Exchange Server computer by using the account that you have just set up. When you examine the packets, make sure that the packets for the protocol where you have configured security are encrypted.

For more information about the Certificate Server service, see the Microsoft Windows 2000 Server Resource Kit and the Microsoft Exchange 2000 Server Resource Kit.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.