Secure Outlook Web Access with (free) SSL: Part 2

Last week, I talked about the various options available when looking to use SSL for encryption of Outlook Web Access. Rather than buying an expensive certificate from Verisign or creating my own CA, I decided to use a free certificate from StartCom. CA and intermediary certificates can easily be imported and are already recognised by Firefox and the upcoming OS X Leopard.

Submit certificate request to the CA

Now that we have our certificate request ready and waiting it's time to process the request and finish the job. I called my certificate request file ‘ certreq.txt' and this is the file I will need to submit to StartCom in order to for them to generate a valid SSL certificate. Remember to install the StartCom Certificate Authority on the machine which will be using SSL. To do this, simply run the StartCom import wizard.

We start by browsing to the certificate wizard. Here we find two certificate options, class 1 and class 2. I won't go in to the various differences between the two classes of certificate; a class 1 certificate is more than adequate for our purposes. Look here for more information on the various types of certificates available from StartCom. Before we start, it's also worth noting that you will need access to one of the following e-mail addresses in order to complete this process:

Starting from the certificate wizard:

  1. Select Class 1 Certificate and click Continue.
  2. Select SSL Server Certificate (Without CSR generation). Select Class 1 Certificate and click Continue.
  3. Select SSL Server Certificate (Without CSR generation).
  4. Log in or register your details with StartCom. They will check these, so enter them correctly or face revocation of your certificate!
  5. Open the previously generated certificate request file and select all. Copy the entire contents to the clipboard and paste it into the text area of the certificate wizard. Click Continue.
  6. Select one of the e-mail addresses to use for verification and Continue (see above).
  7. Enter the verification code received via e-mail and click Continue.

The certificate has now been generated. Copy and paste the certificate text into an empty instance of Notepad and save the file as ‘certificate.crt'.

Validate the pending request

Now that we have a valid certificate all that's left to do is complete the pending certificate request via the IIS manager and then enable SSL on the default Web site.

  1. Open up the IIS manager and then open the properties page for your Default Web Site.
  2. Browse to the Directory Security tab and click on Server Certificate...
  3. Choose to Process the pending request and install the certificate. Click on Next.
  4. Browse to the ‘certificate.crt' saved in the last section. Select it and click on Next.
  5. Check that the default SSL port is 443 and click on Next.
  6. Take a look at the Certificate Summary, and if you're happy that it all looks okay, click on Next and finally Finish.

The certificate has now been applied to the Default Web Site of your OWA server.

Require SSL on Default Website

Telling IIS to require SSL encryption couldn't be easier.

  1. Open the properties page for your Default Web Site from IIS manager on the OWA server.
  2. Select the Directory Security tab.
  3. Click on Edit... under the Secure Communications section (in the bottom third of the properties page).
  4. Tick the top two checkboxes: Require secure channel (SSL) and Require 128-bit encryption.
  5. Click on OK and then again to close the IIS properties window.

That's it. You should now have SSL encryption of OWA up and running. Test it by browsing to (in my case, your URL may be different depending on the FQDN you have chosen).

If you receive a certificate warning, then it's likely that you didn't correctly import the StartCom root and intermediary authorities correctly on the OWA server or the client machine. Start by re-running the StartCom Import Wizard on each (or just the OWA server if you're accessing it from itself); if that doesn't help or fails, then take a look at the certificates and try to import them manually.

While the StartCom CA isn't fully recognised by Microsoft (yet) I feel it's better than using my own CA for certificate generation. The fact that many of the leading Web browsers are recognising StartCom as a valid root CA gives me confidence in their credibility and commitment to security. Just because a StartCom certificate is free, it does not mean that they hand them out willy-nilly -- my certificate request was actually frozen, and I was contacted by a StartCom employee to verify my identity and reason for requesting a certificate. I was quite impressed by the speed of this process; the e-mail I received said I would be contacted within six hours but I received contact and had my certificate ready within 30 minutes.