Create a new Exchange certificate on Exchange 2013
Let’s take a look at how to create a certificate request or CSR using Exchange 2013 EAC (Exchange Administration Center). All the steps mentioned in this article can be achieved using the Exchange management Shell, I just prefer using the EAC for more granular control and a GUI based look.
1. From EAC click on Servers page. Here click on Certificates and now you can see the servername and also that the default certificate is a Self signed cert assigned to services IMAP, POP, IIS and SMTP
2. Now assuming that you want to get a certificate from a third party provider like Godaddy, verisign or Digicert you need to create a CSR or Certificate Signing request. A CSR contains all details encoded within which is specific to your company and domain. Once you have the CSR handy, you may submit it to the certificate provider. Read more about CSR here: http://en.wikipedia.org/wiki/Certificate_signing_request
3. In the next window lets type in the friendly name for the certificate:
4. I don’t want to use the wildcard certificate option so ill bypass it and go to the next window. Select the server name which will store the details of this certificate
5. In the next screen you are going to type all the URL’s you want to add in the cert. I personally don’t like to include server FQDN’s in my certificate as a hardware load balancer is going to service my internal as well as external users
6. So in the next screen you can see the list of URL’s required in the cert. review it and click next. I have owa, legacy, email, mobile, autodiscover, IMAP and POP added to my domain. All these URL’s are going to point to my hardware load balancer which then points to exchange 2013 CAS servers
Legacy.msexchangeguru.com will point to Exchange 2007.
Exchange 2013 has inbuilt intelligence to proxy client requests to Exchange 2010
7. Next window gives you an option to type all details about your organization. The screenshot is only an example
The Organization Name is your Full Legal Company or Personal Name, as registered.
The Organizational Unit or Department name is the department or branch ordering the certificate such as Information technology, Marketing etc.
The Country maybe a two-digit code or full name.
State and city/Locality are full names, i.e. New York, ‘Massachusetts’.
The Common Name is the Fully Qualified Domain Name (FQDN) for which you are requesting the ssl certificate.
8. Now specify the location where you will be storing the CSR request
9. Now if you open the CSR request in a notepad it will look like this. Please note that you SHOULD NOT edit this file using a text editor
10. It is now time to contact your certificate vendor and present them with this CSR request and get a certificate which is in the CER format.
11. Once you have the certificate, navigate back to EAC certificates section. The status will now be Pending request. Click the complete button.
12. Let’s navigate to the location of the CER file now.
13. Once the certificate is located the status will now change to “Valid”. Note that I have used a windows certification authority to issue my certificate.
If you want to learn how to submit a CSR to a windows certification authority and then issues a Windows Certificate refer to the section – “How to Create a new Certificate using a Windows certification authority” in the article:
Install SSL certificate on EDGE Transport server role for TLS: https://msexchangeguru.com/2012/07/24/edge-server-tls/
14. As you may have noticed, this new certificate do not have any Services assigned to it. Let’s double click on the certificate name now and assign services to it and click Save.
15. Finally, the certificate will look like this
Now click on the details tab and ensure all the Subject Alternative Names are added:
Finally click on the Certification path and ensure the certificate is trusted on the machine. If it is not trusted you will end up in issues later. To resolve that issue refer to the article:
Install SSL certificate on EDGE Transport server role for TLS: https://msexchangeguru.com/2012/07/24/edge-server-tls/
Also, look at EAC and ensure all services are assigned to the certificate.
CSR generation has never been this easy. Please post your feedback in the comments section.
Ratish Nair
MVP Exchange
Team@ MSExchangeGuru
Keywords: Create a new Exchange certificate, How to create a certificate in Exchange 2013, Microsoft Exchange server 2013 certificates, Microsoft Exchange server 2013 certificate generation.
March 12th, 2013 at 6:41 am
What is best practice with Exchange 2013 certificates?
Do they the same as in Exchange 2010? http://technet.microsoft.com/en-us/library/dd351044(v=exchg.141).aspx
May 5th, 2013 at 7:28 pm
Hi,
In case, I use Exchange 2013 for intranet user, I leave the Outlook Anywhere blank and the certificate is point to FQDN of Exchange 2013 ?
Is that right ?
June 1st, 2013 at 6:59 pm
[…] Create a new Exchange certificate on Exchange 2013: https://msexchangeguru.com/2013/01/18/e2013-certificate/ […]
July 25th, 2013 at 8:24 am
Prabhat, Ratish,
Does the “Legacy” name have to appear in the SAN cert used on the 2007 CAS servers, do I need to request a new cert for these ?
Thanks
Declan
October 12th, 2013 at 5:16 pm
[…] the final item is the add your certificate to exchange and that’s it. That is outside the scope of this article but there are many exchange gurus that you can look at for that item. I included an example form the MSExchangeGuru.com […]
June 9th, 2014 at 4:10 am
Many thanks to you sir.
This helped me soo much
March 14th, 2015 at 10:51 am
Thanks For sharing… very useful
December 20th, 2015 at 2:56 am
what if we have Hardware load balancer in place do we need to create the csr request from server and complete it from etc go daddy and import it both in Hlb only or both
January 4th, 2016 at 8:26 pm
Import to both HLB and Exchange. Rest remains same