Why Exchange UM needs a certificate?

Voice messages are stored on the Exchange UM Server. Exchange UM Server uses Exchange Hub Transport server to deliver those voice messages to the respective exchange enabled users. Exchange UM server should have certificate configured on it before it could connect with the Exchange HT Server.

Login to the Exchange UM Server, and create and install a certificate on it.

 Follow the following steps to create a certificate request and install the certificate

1. Click Start, click Run, type http://<name of your Issuing CA Server>/certsrv, and then click OK.

2. Under Select a task, click Request a Certificate.

3. Under Request a Certificate, click Advanced certificate request.

4. Under Advanced Certificate Request, click Create and submit a request to this CA.

5. Under Advanced Certificate Request, select Web server or another server certificate template configured for server authentication.

6. Under Identifying Information for Offline Template, in the Name box, type the FQDN of the Exchange UM Server. You must enter the FQDN of the Exchange UM Server for communications to work.

7. Under Key Options, click the Store certificate in the local computer certificate store checkbox.

8. Click the Submit button in the bottom of the Web page.

9. A dialog box will open asking for confirmation. Click Yes to continue to go to Certificate Issued page.

10. Under Certificate Issued, click Install this certificate.

11. A dialog box will open asking for confirmation. Click Yes.

12. Verify that the page says "Your new certificate has been successfully installed."

13. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA). If your CA is configured for automatic approval, proceed to the next procedure. If your CA requires CA administrator approval to issue a certificate, the administrator must manually approve or deny the certificate issuance request on the issuing CA before you can assign it.

Note: You can get the certificate from public CAs as well if you don’t have internal CA. Ensure that the subject name of the certificate is same as the FQDN of the Exchange UM Server.

Follow the following steps to assign the certificate  

1. Open the MMC console.

2. In the console tree, expand Personal and then click Certificates.

3. In the details pane, verify that personal certificate is displayed.

4. Double click the certificate to read its details and ensure it is valid. It may take a few minutes before the certificate displays as valid.

5. Restart the Microsoft Exchange Unified Messaging service. Exchange UM will automatically retrieve the correct certificate.

6. Open Event Viewer and look for Event ID 1112. This event will specify what certificate Exchange UM has retrieved.

Follow following steps to check the configured certificate

• Open the following location.                                                                                            

  C:\Program Files\Microsoft\Exchange Server\UnifiedMessaging

• Locate the file UMServiceCertificate.cer and open it. It would show you the details of the certificate which is currently in use on the Exchange UM Server.

• If you have the right certificate in use, Exchange UM will report following event:

Event Type:        Information

Event Source:    MSExchange Unified Messaging

Event Category:                UMService

Event ID:              1112

Date:                     11/18/2008

Time:                     10:50:22 AM

User:                     N/A

Computer:          OCSSE-DC

Description:

The Microsoft Exchange Unified Messaging service will attempt to use a certificate with the following details: IssuerName = "CN=ocsCA, DC=OCSDom, DC=local", SerialNumber = "26BD7D50000000000007", Thumbprint = "C719AD4793308664CD787DD8029E61F9B56E91B8", IsSelfSigned = "False", NotValidAfter = "7/18/2010 8:44:50 PM". The path to this certificate is "C:\Program Files\Microsoft\Exchange Server\UnifiedMessaging\UMServiceCertificate.cer".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

How does UM Server pick the certificate:

‘UM has it’s own logic to pick the cert it uses. It prefers the latest certificate issued by CA. if you create a new internal CA cert with FQDN of the UM server, UM will pick that over any other cert currently installed.”

Related Links:

Configure Exchange UM to Work with Communications Server
How to Test TLS Functionality by Using the Unified Messaging Test Phone