Tuesday, July 9, 2013

Exchange 2013 Certificates and Encryption

Exchange 2013 like previous versions of Exchange requires digital certificates to encrypt traffic between Exchange clients such as Web Access, Active Sync and RPC over HTTPS.  Certificates can also be used for additional services such as Unified Messaging, TLS SMTP connections and legacy POP and IMAP protocols.

In previous versions of Exchange such as 2007 and 2010, certificates were installed on the Client Access server role to provide encryption between Exchange and Clients.  In Exchange 2013 certificates now reside on the Mailbox and Client Access servers.

The Client Access role is the only role in which you as an administrator are required a certificate.  It is recommended the new certificate be obtained by an external certificate authority such as DigiCert to ensure the certificate is trusted by external devices not joined to the Active Directory domain such as mobile phones.  The certificate can be installed using the new web based management tool Exchange Administration Console (EAC).

As the Client Access server role now only provides authentication and proxy/redirection logic and does not process any rendering of content a certificate is also required on the mailbox server to ensure communication between the Client Access and Mailbox remains secure.  Exchange 2013 automatically installs a self signed certificate on the Mailbox server as part of the installation process.  The Client Access server automatically trusts the self-signed certificate on the Mailbox server, so clients will not receive warnings about a self-signed certificate not being trusted, provided that the Client Access server has a non-self-signed certificate from either a Windows certification authority (CA) or a trusted third party.

It is very important you do not delete self signed certificates on the mailbox server, doing so will break your Exchange environment!

1 comment: