The (Very) Basics of SSL for Exchange/Windows
SSL stands for Secure Sockets Layer. As the Secure part of the name implies, the purpose behind SSL is to secure communications between a client browser (such as Internet Explorer or FireFox) and the server service with which the browser is communicating (which may be web browsing, IMAP, POP-3, etc.).
SSL works by encrypting data - that is, applying a mathematical formula to it on one end, sending it to the destination, which knows how to apply a reverse mathematical formula to the encrypted data in order to get the original data back (this is known as decryption).
SSL can take a lot of computer power, if the website is encrypting graphics and images, as well as text. Most SSL websites and/or subsites are "light" - they have little graphics and/or images, in order to minimize this overhead.
SSL is often used for financial transactions, login transactions, and any other type of communication that is desired to be very secure. For example, installing the OWA Admin tool on your Exchange Server also installs a self-signed (that is, non-third party) SSL certificate on your Exchange Server.
However, self-signed certificates have a problem - each time they are used, they pop-up a warning message indicating to the user that a non-standard certificate is being used. Or, they require the end-user to load the certificate into a special place on their computer, to actually indicate that the certificate is safe.
To avoid this, every operating system pre-loads authority information for a certain number of companies that issue certificates. If you acquire your certificate from one of those companies, then that warning dialog never appears.
In North America, probably the three most common certification authorities (that is, companies from whom you can buy SSL certificates) are VeriSign, Thawte (which is owned by VeriSign), and Entrust. Certificates issued by these companies are recognized by probably every internet browser in the world.
In the email world, SSL certificates are often used to protect web mail communications, including (perhaps most significantly) the sign in process. This ensures that passwords for users are not transferred over the Internet in the clear (where they could easily be discovered). SSL may also be used to encrypt the various email protocols, when communicating with a client that knows how to do the same. There are defined and Exchange supported mechanisms for using SSL with SMTP, with POP, and with IMAP along with the normal HTTP (World Wide Web). An evolutionary improvement to using SSL with SMTP is called TLS - Transport Layer Security. TLS also requires an SSL certificate and is supported by Exchange Server.
Whether using SSL certificates is worthwhile or not is beyond the scope of this article, although it should be noted that using SSL certificates with OWA, IMAP, and POP3 is considered a best practice. There are many fine books that discuss the security implications of encryption and decryption and not using the technologies. The first step along the process to secure communications is to obtain the SSL certificate. The first step to obtaining an SSL certificate is to generate a Certificate Signing Request (CSR).
Windows Vista, Windows XP, and Windows Server 2003 provide a number of different mechanisms for maintaining the certificate store on a computer, each targeted for different needs. The first, the Certificates MMC, provides a simple mechanism for viewing, interrogating, and deleting existing certificates on a computer. However, its interface for requesting certificates is poor.
Secondly, if a Certification Authority is installed on a server, it has an administration interface available at http://<servername>/certsrv.
For many years, the mechanism that was most interesting for for Exchange was the "Create a New Certificate" wizard which is present in the Internet Information Services Manager (ISM). This is the interface you use in Exchange 2000 Server and Exchange Server 2003 to generate a certificate signing request.
In Exchange Server 2007, you will use the "New Certificate" wizard (available from an Exchange server object in the Exchange Management Console), or the "new-exchangecertificate" cmdlet in the Exchange Management Shell.
Until next time...
As always, if there are topics you would like for me to cover, please e-mail me or leave a message in the forums.