Planning Certificates in Visual C#.NET

Generate PDF 417 in Visual C#.NET Planning Certificates

office issues your passport, like the CA, and the passport you receive is like the digital certificate. You use digital certificates in relation to sending and receiving e-mail in two areas:

There are three types of certificates based on the authority that issues the certificate: self-signed certificates, Windows public key infrastructure (PKI) generated certificates, and third-party certificates. Table 3-5 provides an overview of these types of certificates and their uses.

When Exchange 2010 is installed, a new certificate is generated automatically if no computer certificate is available. This certificate is used by default to encrypt all communication inside and outside the Exchange organization. If you access your OWA using a Web browser, you need to confirm that the server s certificate is correct because you do not trust this certificate by default. Self-signed means that the computer itself acted as a CA and signed its own certificate. These certificates are issued by a Windows CA (such as Windows Server 2008 R2 s Active Directory Certificate Service) and you can request them at no extra cost and install them immediately. Normally, they are not trusted publicly, so you need to make sure that the root certificate is imported at every server, client, and device that does not belong to your Active Directory. In your Active Directory forest, the information is distributed automatically. This type of certificate is automatically trusted within the Internet and can be purchased by a third-party CA such as VeriSign. It is the easiest and least time-consuming way to implement certificates, but you need to buy them. Thus, you probably won t have an official certificate for every Exchange server in your environment.

You cannot use self-signed certificates for mutual TLS or Domain Security communication to and from the Internet in Exchange 2010 only Windows PKI generated certificates or third-party certificates are supported there.

messaging, you have to make sure that your partners servers trust your root Ca (by importing your root certificate).

Exchange uses certificates to communicate securely between the different server roles. By default each Exchange server uses either the certificate issued by the domain or issues its own self-signed certificate and uses this one for communication. If you do not require secure communication to the Internet, a self-signed certificate works without issue. However, if you want to consider a secure Exchange 2010 implementation, some server roles require an independent certificate if they are communicating with the client. Table 3-6 provides an overview of which Exchange Server roles require which certificate for which purpose.

Windows PKI or third-party for external, self-signed for internal mail flow Windows PKI or third-party

Outlook Web App (OWA) Exchange Web Services (EWS) Outlook Anywhere ActiveSync POP3 IMAP4 Autodiscover

SMTP over TLS Outlook Web App (OWA) Exchange Web Services (EWS) Outlook Anywhere ActiveSync POP3 IMAP4 Autodiscover

An application-layer firewall such as Microsoft TMG can be used to proxy traffic between the perimeter and

Exchange 2010 certificates need to have a certain format to work correctly with the TLS protocol. Because the Edge Transport servers might have multiple domain names or service connection points (SCPs), you have two options:

Use a single certificate on your server(s) with Subject Alternative Names (SAN) support, also known as Unified Communications Certificates. Use individual certificates.

on the servers. Unfortunately, it is also more expensive than a normal certificate if purchased from a third-party Ca.

Thus when considering certificates in Exchange 2010, you need to answer two key questions:

Where do you want to place certificates Do you want to use one certificate per server or a single certificate for all your servers If you want to use a single certificate for all your servers, make sure you distinguish between internal and external servers. If you use an application-layer firewall in a perimeter network, consider implementing a separate certificate for it. What SAN names should the certificates have If you use one certificate for all servers, you need to consider all SAN names that you want to add.

To plan for all the domains or host names that should be included in the certificate, Table 3-7 should provide you with a basic understanding of what is required.