Getting a SAN certificate for Exchange 2007
Exchange 2007 uses SAN certificates, which allow you to mix several different server names in a single certificate. Generating a certificate can be a problem, as the PowerShell command needed to generate the certificate signing request can be long, and unwieldy – and it’s easy enough to make a mistake when typing in part of a long command.
The DigiCert web site makes it a lot easier to produce the CSR, with an online wizard that simplifies the process of building the PowerShell command you need. Go to www.digicert.com/easy-csr/exchange2007.htm, and you’ll find a simple online wizard.
You’ll need to have defined the server names in advance. Start with a common name like “mail.itexpertmag.co.uk”, and then the appropriate server alternate names, which can include the standard autodiscover address for Outlook Anywhere and internal network names. The number you can use will depend on the available name slots in the server certificate you intend to buy (usually sold with five or ten slots). You’ll also need to fill in details of your organisation, and the size key you want to use.
Once you’ve completed the form, click the Generate button. This will produce the command you’ll need to use to generate the certificate signing request – copy the PowerShell code into the Exchange Management Shell, and run. The CSR will be in the root of your servers C: drive (though you can change this by modifying the Path section of the command), ready to be passed on to a signing authority.