Exchange Certificate SSL Let's encrypt

Monday 26 September 2016

11:14

https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/Create-a-SAN-certificate-for-Exchange-2016

Download latest release: https://github.com/Lone-Coder/letsencrypt-win-simple/releases

IIS Settings Changes (Manual Install)

Before you can do anything else, we need to make sure that IIS will respond with the appropriate authorization responses externally. The ACME servers will
verify that you’re running the client on the server that you’re trying to get a certificate for. So the client software will create files in %SystemDrive%\inetpub
\wwwroot in a folder called ".well-known\acme-challenge".

By default, this directory won’t be visible to the outside world. You need to adjust IIS settings for this directory to allow access.

- Create the .well-known\acme-challenge folder in your wwwroot directory. By default, this path should be: C:\inetpub\wwwroot\.well-known\acme-
You will probably need to do this from the command line.
- In Internet Information Services (IIS) Manager, under Default Web Site, find the new acme-challenge folder you created.
- Open the SSL settings for that folder -> Uncheck “Require SSL”. Click Apply on the right side.
- Verify that the Authentication settings allow Anonymous Authentication.
- Check the acme-challenge directory and create or replace the web.config file with the content of the Web_Config.xml file in the client's roo t folder (c:
\letsencrypt in the example below).
- Make sure your server is reachable on port 80

Running the Client

Assuming you’ve installed the client on one of your Exchange 2016 servers, now you’ll need to run it. I ran it in PowerShell. Run PowerShell with
privileges. Then change your directory to be wherever you’ve installed the letsencrypt.exe client. Mine was installed in c: \letsencrypt

letsencrypt.exe --san

Choose M for Manual

This is the name of the primary host:

webmail.domain.com

This is the list of SANs on the certificate (repeat the primary host name):

webmail.domain.com,autodiscover.domain.com

This is the path to the Default Web Site root directory, notice, I’m using the same path the script mentions when it lists ou t the various sites. If you try to use
\inetpub\wwwroot, it’ll fail to create the certificate properly:

%SystemDrive%\inetpub\wwwroot

Choose yes to update the schedule task (I had an old one created during testing of the script. If you don’t fail a few times, like I did, you probably won’t be
prompted for this).

No to use a different user account. I’m logged in as the account I want to run this under, so I chose No.

If you select No above, the renewal will only run when you are logged on, if you want it to run when you are not logged on, s elect Y and enter your

Updating Website Bindings to Use the New Certificate At this point, the cert will be installed and registered in IIS, but the Default Web Site won’t switch to
automatically. You’ll need to right-click "Default Web Site". Choose "Edit Bindings...". Click on https, port 43, *. Click "Edit...". Change the SSL certificate to the
named "webmail.domain.com" which will be followed by the date you created the certificate using Let’s Encrypt. Click Ok. Try to access
https://webmail.domain.com/owa to verify it works.
Final Steps

Now that you’ve installed this cert on one of your Exchange servers, you’ll need to install this cert on the other servers in your lab.

The private/public keys will be stored here:

$env:userprofile\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

Página 1 de Exchange
Mine was called webmail.domain.com-all.pfx

Copy that to your other machine, import it. I imported it into the System context, rather than local user. Once imported, jus t like above, you need to edit the
bindings in IIS to use the webmail.domain.com certificate. Once you’ve done this on all of your servers, your lab should be a ll ready to use SSL.
Other Ways To Run
Auto Install on IIS

You can also have the client automatically create and install the certificate on IIS if you have HTTP bindings for the host n ame(s). Instead of selecting M
Site ID for the Default Web Site 1. It will find the web root automatically, create the .well -known/acme-challenge/ folders, create the web.config file,
site, generate the certificate, create/ update the IIS HTTPS bindings for the new certificate.
Centralized SSL Support

If you are using IIS 8.0 or greater you can take advantage of Centralized Certificates Stores. Add the --centralsslstore C:\Central_SSL\ argument when you run
client and the client will save the certificate there. You can also use this with the Auto Install method above to install it automatically and use the central ssl
Verification

To make sure all is working properly, I’d encourage you to use the connectivity testing tools. The Microsoft Autodiscover and ActiveSync Autodiscover tests
really useful for testing this out. With Outlook 2016 requiring the use of Autodiscover to connect to Exchange, verifying tha t this works properly is an
step is making sure your environment is setup correctly.

Página 2 de Exchange
Exchange Certificate SSL Let's encrypt
Monday 26 September 2016
11:14

Download latest release: https://github.com/Lone-Coder/letsencrypt-win-simple/releases

- Create the .well-known\acme-challenge folder in your wwwroot directory. By default, this path should be: C:\inetpub\wwwroot\.well-known\acme-
You will probably need to do this from the command line.
- In Internet Information Services (IIS) Manager, under Default Web Site, find the new acme-challenge folder you created.
- Open the SSL settings for that folder -> Uncheck “Require SSL”. Click Apply on the right side.
- Verify that the Authentication settings allow Anonymous Authentication.
- Check the acme-challenge directory and create or replace the web.config file with the content of the Web_Config.xml file in the client's root folder (c:
in the example below).
- Make sure your server is reachable on port 80

Running the Client

Run PowerShell with administrative privileges. Then change your directory to be wherever you’ve installed the letsencrypt.exe client. Mine was installed in c:
\letsencrypt

letsencrypt.exe --san

Choose M for Manual

This is the name of the primary host:

webmail.domain.com

This is the list of SANs on the certificate (repeat the primary host name):

webmail.domain.com,autodiscover.domain.com,mail.domain.com

This is the path to the Default Web Site root directory:

%SystemDrive%\inetpub\wwwroot

Select NO (N) for the next questions

The private/public keys will be stored here:

$env:userprofile\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

Mine was called webmail.domain.com-all.pfx

Import the certificate:

Open MMC -> Certificates -> MY USER ACCOUNT
Under PERSONAL go to ALL TASKS -> IMPORT
Leave the password blank
During the import make sure "MARK THIS KEY AS…" and "INCLUDE ALL…" are checked!

Export it:
Go to the certificate you just imported, right-click -> ALL TASKS -> EXPORT
Select YES to export the private key (this is very important!)
Make sure "INCLUDE ALL…" and "EXPORT ALL…" are checked!
Set a password, otherwise you won't be able to install in on your Exchange server

Página 3 de Exchange
Exchange Certificate SSL Let's encrypt PT-BR
03 May 2017
20:55

Download latest release: https://github.com/Lone-Coder/letsencrypt-win-simple/releases

# Requisitos:
- Crie a pasta .well-known\acme-challenge no diretório wwwroot. Por padrão, esse caminho deve ser: "C:\inetpub\wwwroot\.well-known\acme-challenge". Você provavelmente precisará fazer isso a partir da linh
comando.
- No IIS, em Default Web Site, localize a nova pasta acme-challenge que você criou.
- Abra as configurações de SSL para essa pasta -> Desmarque "Exigir SSL". Clique em Aplicar no lado direito.
- Verifique se as configurações de Autenticação permitem Autenticação Anônima.
- Verifique o diretório acme-challenge e crie ou substitua o arquivo linuxg pelo conteúdo do arquivo Web_Config.xml na pasta raiz do cliente (c: \letsencrypt no exemplo abaixo).
- Verifique se o servidor está acessível na porta 80 (essa porta so precisa estar aberta no momento da geracao do certificado).

# Executando o Cliente:

Execute o PowerShell com privilégios administrativos. Em seguida, altere o seu diretório para estar onde quer que você tenha instalado o cliente letsencrypt.exe. Mine foi instalado em c:\letsencrypt

Letsencrypt.exe --san

Escolha M para Manual

Este é o nome do host principal (mude conforme o seu cenario):

Webmail.domain.com

Esta é a lista de SANs no certificado (repita o nome do host principal):

Webmail.domain.com, autodiscover.domain.com, mail.domain.com

Este é o caminho para o diretório raiz do Web site padrão:

%SystemDrive%\inetpub\wwwroot

Selecione NO (N) para as próximas perguntas.

As chaves privadas / públicas serão armazenadas aqui:

$ Env: userprofile\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

O meu foi chamado webmail.domain.com-all.pfx

# Importar o certificado:
Abrir MMC -> Certificados -> MINHA CONTA DE USUÁRIO
Em PESSOAL vá para TODAS AS TAREFAS -> IMPORTAR
Deixe a senha em branco
Durante a importação, certifique-se de que "MARK THIS KEY AS ..." e "INCLUDE ALL ..." estão marcados!

# Exportá-lo:
Vá para o certificado que você acabou de importar, clique com o botão direito do mouse -> TODAS AS TAREFAS -> EXPORTAR
Selecione YES para exportar a chave privada (isso é muito importante!)
Verifique se "INCLUDE ALL ..." e "EXPORT ALL ..." estão marcados!
Defina uma senha, caso contrário você não poderá instalar no seu servidor Exchange

# Apos isso voce pode acessar o EMC e importar esse .pfx para os seus servidores Exchange

Página 4 de Exchange