Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 1) - Create Certificate Template & Request the Root CA Server Certificate

4/5/2011 4:57:37 PM

Monitoring the Edge Server role requires an install of certificate-based mutual authentication. This process has a lot of steps but is straightforward. To install and configure certificates to enable the Edge Transport servers to use mutual authentication, there are five major tasks to be completed. These tasks follow:

1.	Create a Certificate Template to issue the right format of X.509 certificates for Operations Manager to use for mutual authentication.
2.	Request the Root CA certificate to trust the CA and the certificates it issues. This is done for each Edge Transport server and possibly for the management servers if not using an enterprise CA.
3.	Request a certificate from the Root CA to use for mutual authentication. This is done for each Edge Transport server and for each management server.
4.	Install the Operations Manager agent manually. This is done for each Edge Transport server.
5.	Configure the agent to use the certificate. This is done for each Edge Transport server and for each management server.

These various X.509 certificates are issued from a certificate authority.

Create Certificate Template

This step creates a certificate template named Operations Manager that can be issued from the Windows Server 2008 certification authority web enrollment page. The certificate template supports Server Authentication (OID 1.3.6.1.5.5.7.3.1) and Client Authentication (OID 1.3.6.1.5.5.7.3.2), and enables the name to be manually entered rather than auto-generated from Active Directory because the Edge Transport will not be an AD domain member.

The steps to create the security template follow:

1.	Log on to CA, which is DC1.companyabc.com in this example.
2.	Launch Server Manager.
3.	Expand Roles, Active Directory Certificate Services, and select Certificate Templates (fqdn).
4.	Right-click the Computer template and select Duplicate Template.
5.	Leave the version at Windows 2003 Server, Enterprise Edition and click OK.
6.	In the General tab in the Template display name, enter Operations Manager.
7.	Select the Request Handling tab and mark the Allow Private Key to Be Exported option.
8.	Select the Subject Name tab and select Supply in the request. Click OK at the warning.
9.	Select the Security tab, select Authenticated Users, and select the Enroll checkbox.
10.	Click OK to save the template.
11.	Select the Enterprise PKI to expose the CA.
12.	Right-click the CA and select Manage CA.
13.	In the certsrv console, expand the CA; right-click the Certificates Templates and then select New, Certificate Template to Issue.
14.	Select the Operations Manager certificate template and click OK.

The new Operations Manager template is now available in the Windows Server 2008 web enrollment page.

Request the Root CA Server Certificate

This enables the Edge Transport server to trust the Windows Server 2008 CA. This does not need to be done on the OpsMgr management servers because the Windows Server 2008 CA is an Enterprise CA, and all domain members automatically trust it. If the CA is not an enterprise CA, the steps need to be completed for the management servers as well.

To request and install the Root CA certificate on the Edge Transport server, execute the following steps:

1.	Log on to the Edge Transport server (EX3.companyabc.com in this example) with local administrator rights.
2.	Open a web browser and point it to the certificate server, in this case https://dc1.companyabc.com/certsrv. Enter credentials if prompted.
3.	Click the Download a CA Certificate, Certificate Chain, or CRL Link (shown in Figure 1). Figure 1. Download Root CA certificate.
4.	Click the Download CA certificate link. Note: If the certificate does not download, add the site to the Local Intranet list of sites in IE.
5.	Click Open to open the CA certificate.
6.	Click Install Certificate to install the CA certificate.
7.	At the Certificate Import Wizard screen, click Next.
8.	Select Place all certificates in the following store radio button.
9.	Click Browse.
10.	Click the Show physical stores check box.
11.	Expand the Trusted Root Certification Authorities folder and select the Local Computer store.
12.	Click OK.
13.	Click Next, Finish, and OK to install the CA certificate.
14.	Close any open windows.

Repeat for all Edge Transport servers. Now the Edge Transport servers trust certificates issued by the certification authority. The next step is to request the certificates to use for the mutual authentication for all servers.

Related -----------------

- Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 3) - Install the Agent on the Edge Transport & Configure the Agent to Use the Certificate

- Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 2) - Request a Certificate from the Root CA Server

- Exchange Server 2010 : Installing Edge Transport Monitoring Certificates (part 1) - Create Certificate Template & Request the Root CA Server Certificate

Other -----------------

- SharePoint 2010 : Designing and Managing Pages and Sites for Knowledge Workers - An Overview of Site Collection Administration Tools

- SharePoint 2010 : Designing and Managing Pages and Sites for Knowledge Workers - Reviewing the Site Actions Tools

- Managing Data Access Using Windows Server 2008 R2 Shares (part 2) - Managing Folder Shares

- Managing Data Access Using Windows Server 2008 R2 Shares (part 1)

- Windows Server 2008 R2 : Adding the File Services Role

- Windows Server 2008 R2 : System File Reliability

- Windows Server 2003 : Creating a Baseline for Member Servers (part 2) - Setting Event Log Policies & Configuring Services