Certificate management for Exchange Unified Messaging 2010

Microsoft Exchange Unified Messaging 2010 will be released with a lot of goodies. One of them is to give more control to the admins so that they can hand pick the certificate with which they want Microsoft Exchange Unified Messaging service to run.

In UM Exchnage 2007 the service would automatically choose what "it thinks" is the best certificate in the machine store. However, the customer feedback told us to change this design and let admins specify what certificate to choose and tell UM for making the connections using TLS. And with this new design you dont have to learn any new cmdlets: *-exchangecertificate cmdltes can be used to create and assign a certificate to UM service.

Admins of Exchange 2007 who have used UM to make connection only over TCP will not have to make any changes. Out of the box UM continues to make connections over TCP only.  

Admins who want to accept or make secured calls using TLS will have to do following three steps. I have given some examples below.

- Change the mode of UM service from TCP to Dual or TLS. Dual mode means that the UM service will listen for calls on both TCP and TLS. TLS means that UM will listen only over TLS.

- Get a new certificate.

- Assign the certificate to UM and restart the service.

Finally, take steps so that the IP Gateway will trust and accept this certificate.

Here are some examples to do what I have mentioned above using powershell cmdlets. Same can be acheived using EMC as well. I will not be going through the EMC in this blog post.

1. Change the mode of the server to Dual or TLS using set-umserver cmdlet. As you can see it nicely gives warnings as to what are next steps.

  [PS] D:\Windows\system32>set-umserver -UMStartupMode dual -Identity EXCH-I-349
WARNING: Changes to UMStartupMode will only take effect after the Microsoft Exchange Unified Messaging service is
restarted on server EXCH-I-349.
WARNING: To complete TLS setup, do all of the following: (1) Create a new certificate using the New-ExchangeCertificate
cmdlet (2) Associate this certificate with the Unified Messaging server using the Enable-ExchangeCertificate cmdlet
(3) For self-signed certificates, copy this certificate to the UM IP gateway and correctly import it. For CA-signed
certificates, correctly import the CA certificate to the UM IP gateway.

2. To get a new certificate, you can use new-exchangecertificate cmdlet. This cmdlet can be used to create a new self signed certificate or a new certificate request. Details of the cmdlet can be seen at msdn.

[PS] D:\Windows\system32>New-ExchangeCertificate -Services none -Server EXCH-I-349

Thumbprint                                Services   Subject
----------                                --------   -------
80FAC0BC54F7282D14D326C34F80B02C3AA668CF  IP....     CN=EXCH-I-349

In the above example I have created a new self signed certificate which is present in the UM server's machine store and can be used by any MS Exchange service.

3) Assign the above generated self signed certificate to UM.

[PS] D:\Windows\system32>Enable-ExchangeCertificate -Services UM -Thumbprint 80FAC0BC54F7282D14D326C34F80B02C3AA668CF -s
erver EXCH-I-349

Confirm
Enable certificate with thumbprint 80FAC0BC54F7282D14D326C34F80B02C3AA668CF for Unified Messaging?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): yes
WARNING: To complete configuration (1) Restart Microsoft Exchange Unified Messaging Service on EXCH-I-349 and (2) For
self-signed certificates, install this certificate on the UM IP Gateway. For CA-signed certificates, import the CA
certificate on the UM IP Gateway.

Again notice the warning it gives.

4) Restart UM service so that it starts listening on TLS.

5) As specified by the warnings in the cmdlets ensure that the IP gateway trusts the certifcate used by the UM service. The warnings themselves are self explanatory that I wont be going through them again.

6) Check the certificate used by the services

[PS] D:\Windows\system32>Get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
80FAC0BC54F7282D14D326C34F80B02C3AA668CF  IPU...      CN=EXCH-I-349
3F4FF713FE8A604BCD84B20075B354DFCE36742B  IP.WS.     CN=EXCH-I-349

 

If your were using a self signed certificate then you could combine steps 2 and 3 together.

[PS] D:\Windows\system32>New-ExchangeCertificate -Services UM -Server EXCH-I-349

Confirm
Enable certificate with thumbprint 7B14E7BDF61F6461FBF32D4570B7DBE65E136B67 for Unified Messaging?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): yes

Thumbprint                                Services   Subject
----------                                --------   -------
7B14E7BDF61F6461FBF32D4570B7DBE65E136B67  IPU...     CN=EXCH-I-349