XADM: Setting Up X509v3 Certificates on Exchange 5.5 SP1 KMS with Local Certificate Server

Article translations Article translations
Article ID: 192044 - View products that this article applies to.
This article was previously published under Q192044
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

SUMMARY

This article details how to set up X.509 V3 certificate support on an Exchange Server 5.5 Service Pack 1 (SP1) Key Management Server (KMS) computer that also has Microsoft Certificate Server installed.

Before you proceed with the KMS Setup, consult the following Microsoft Knowledge Base article, which details how to properly update Certificate Server to version 5.00.1671.200.
184695 : Readme Notes for Certificate Server Update

The updated files can be obtained from the following location:
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/certserv/
NOTE: It is important that the Microsoft Exchange Service account has at least READ-ONLY privileges on the shared CERT directory of the Microsoft Certificate server computer.

If the KMS is not installed, please consult the README file on the Exchange Server 5.5 SP1 installation disk on how to install the service.

NOTE: Once the KMS is installed, you will need to reapply SP1 for Exchange Server 5.5 or you may experience problems gaining access to some of the CA Object's property pages, specifically the "Certificate Trust List".

MORE INFORMATION

To enable X.509 V3 certificates on the Exchange Server 5.5 Service Pack 1 KMS, perform the following steps:

  1. The Expolicy.dll file must first be registered to the Certificate Server computer. This file in located on the Exchange Server 5.5 SP1 installation disk in the following location:
    Server\Support\Kms\Expolicy\<Cputype>
    To register this file, go to an MS-DOS command prompt, change to the above directory, and then type the following:
    REGSVR32 EXPOLICY.DLL
  2. After the notification that the DLL is registered is displayed, type the following from a command prompt:
    NET STOP CERTSVC
  3. After the service is stopped, type the following at a command prompt to restart the Certificate server:
    NET START CERTSVC
  4. Open the Microsoft Exchange Server Administrator program. Go to the Site Configuration container, and select properties for the CA object. Click on the Enrollment tab.
  5. In the Microsoft Exchange 4.0/5.0 compatibility section, there are three choices. By default, the "Issue X.509 V1 certificates only" check box is selected. Select either of the remaining options to issue X.509 V3 certificates (either "Issue both V1 and V3 certificates" or "Issue X.509 V3 certificates only").

    A dialog box will then prompt you to select the Certificate Authority. Verify that the local Certificate Server computer is selected and continue. The Exchange Server KMS computer will now be properly configured to use the locally installed Certificate Server.
For more information on how to implement KMS in an Exchange Server organization, consult the Exchange Server 5.5 README file.

Properties

Article ID: 192044 - Last Review: October 10, 2013 - Revision: 3.3
APPLIES TO
  • Microsoft Exchange Server 5.5 Standard Edition
  • Microsoft Exchange Server 5.5 Service Pack 1
Keywords: 
kbnosurvey kbarchive kbhowto KB192044

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com