After an SSL certificate has been installed on an Exchange Server 2010 server you can assign different Exchange services to use that certificate.

To assign a service to a certificate launch the Exchange Management Console.  Navigate to Server Management, and select the server that has the certificate installed.

If you encounter an error message of “The certificate is invalid for exchange server usage” see this article for the solution.

Right-click the certificate you wish to assign and choose Assign Services to Certificate.

How to Assign an SSL Certificate to Exchange Server 2010 Services

Click Next to continue the wizard.

How to Assign an SSL Certificate to Exchange Server 2010 Services

Choose the services you wish to assign to the certificate.  In this example I am choosing IIS so that the certificate can be used for OWA, ActiveSync, etc.

How to Assign an SSL Certificate to Exchange Server 2010 Services

Click Assign to execute the change.

How to Assign an SSL Certificate to Exchange Server 2010 Services

When the task has completed successfully click Finish to close the wizard.

How to Assign an SSL Certificate to Exchange Server 2010 Services

The certificate will now appear with the chosen services assigned to it.

How to Assign an SSL Certificate to Exchange Server 2010 Services

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Kyle R

    Hi Paul,

    I’ve found our exchange 2010 environment has 5 different certs with the SMTP service assigned. Does a specific cert get bound to a specific SMTP relay and is there any way to view that config? Is it similar to how a specific cert gets bound to IIS which i can see in IIS manager>>default web site>>edit bindings and verify which cert is being used?

    I’m struggling to understand if i can remove 4 of the certs with SMTP assigned and leave just one cert assigned to SMTP, as well as struggling how to tell if some service is currently bound to one of the certs, and if multiple services may be each bound to a different cert (i’m not even sure if that’s possible but all my searching so far has not given me any help)

    Thanks for any insight
    Kyle

  2. phil

    I added to publicly signed cert to the exchange management console. However owa is still using the old cert. I’ve gone through the process of assigning the IIS service to the new cert with the exchange management console.
    Within mmc certificate the new cert doesn’t have secure email or code signing, the old cert did.
    Anything else I need to do to get owa to use the new cert? Exchange 2010.

  3. Darin

    Hi Paul,

    Our Exchange 2010 servers have two certs installed. The services are identical on each cert. One reflects our old domain name (we’ll call that one Cert1.olddomain.edu). The other reflects our new domain name (we’ll call that one Cert2.newdomain.edu). Cert1 will be expiring next month. When I open OWA, it shows it is using the new cert (Cert2). When I check the connections in the Outlook client, they all show the old cert (Cert1). The reason for acquiring the new cert was a new domain name. For whatever reason, the old cert was never removed. When Cert1 (old domain) expires, are we going to have any problems? I should also add that the FQDN of our Exchange servers still end in the old domain name but will be changed soon.

    1. Avatar photo
      Paul Cunningham

      Exchange allows one certificate to be bound to IIS/HTTPS.

      Do you have multiple IIS websites on the servers? Perhaps to host an additional OWA virtual directory for the new domain name?

  4. Sarfraz Aslam

    Hi Paul,
    I don’t know if it is relevant, I have SSL self signed certificate vulnerability highlighted by our security dept on Exchange 2010 mailbox role servers.
    Please guide if it is safe to remove the self signed certs from IIS or should i have to get SSL from internal CA?
    Regards,

      1. Sarfraz Aslam

        I am not sure,

        but in report the devised solution is;

        “Replace TLS/SSL self-signed certificate
        Obtain a new TLS/SSL server certificate that is NOT self-signed and install it on the server”

        This vulnerability is only highlighted in my Mailbox Servers.
        What are the roles of this self signed certs, what would be the impact if i delete from IIS?

        Regards,

        1. Avatar photo
          Paul Cunningham

          That’s not a very good reason. The self-signed cert on a Mailbox server is not a security vulnerability. It’s perfectly normal for the Mailbox server role to have a self-signed cert, which is used for internal and server-to-server stuff.

          Only the client-facing (front end) services on the Client Access role benefit from a separate certificate that has the CAS namespaces on it and is from a trusted CA.

          If you remove it in IIS you’ll break the server, so don’t do that.

          1. Sarfraz Aslam

            Thank you very much Paul for the clarification.
            It is very clear to me. Let me convince the auditor team. 🙂

            Regards,

  5. Ramandeep

    Do I need to resart any services after enabling an exchange certificate for services like IIS, SMTP?

    or does it automatically do it

    1. Avatar photo
      Paul Cunningham

      No restart required. You can test it yourself, after changing the cert open a fresh browser window and connect to OWA and look at the certificate that the browser sees.

  6. Anthony

    Hi Paul,

    Wondering if you could help.

    I have an exchange 2010 DAG environment that I took over administration for. There were self signed certs expiring for the two servers that each have the Hub Transport and Client Access roles. I renewed those certs and restarted the transport services. Everything is good.

    Now I have two servers each with mailbox server roles with self signed certs expiring next week. Is the procedure to renew these any different, do I have to restart any exchange services afterwards?

  7. Dennis

    Paul, I have two certs on my two Exchange boxes, holding all roles in a DAG. One is a wildcard *.domain.com, the other is mail.domain,com. Both certs are from an external CA. The wildcard has IIS and SMTP assigned, mail.domain.com POP, IMAP and SMTP. Both POP and IMAP are disabled services. The mail.domain.com cert is about to expire. Is it safe for me to simply remove the cert without causing any issues?

    1. Avatar photo
      Paul Cunningham

      I would export it with the private key first, just in case you need to re-import it if something goes wrong. But yes, certs that are expired or aren’t being used can be removed.

  8. Fidel

    Hey Paul,
    Good article. Question for you – after installing a certificate from our internal CA, I cannot assign services in EMC. The certificate installs, however the “Assign…” link is missing.

    However, I was able to assign services using EMS:
    Enable-exchangecertificate -server ‘someCASserver’ -services ‘imap, pop, iis, smtp’ -thumbprint ‘
    somethumbprint’

    Has anyone ever encountered this?

    Thanks.

    1. Avatar photo
      Paul Cunningham

      That is normal if the server can’t verify the certificate’s validity for some reason. The workaround is to assign via the shell as you’ve done.

      1. Fidel

        Thanks for the peace of mind Paul. I’ll add that to our documentation!

  9. Muhammad

    Hi Paul,

    When i run test-outlookwebservices it get error message when connecting to mail.mycompany.com/ews/exchange..asmx (outside address) received error a state connection failed because the connected party did not respond on time then it shows my external ip address:443 please advise i am using wild card and my firewall has https and http open for cas

  10. Anant

    I have already assigned iis service to third party certificate.

    now i need to assing the iis service to other third party certificate.

    how can i change the service binding to other certificate.

  11. L Aulakh

    I Installed Exchange server 2010 as a coexistence with exchange server 2003 in 2003 domain functional level. with 2003 global catalogue server.
    I run the commands to prepare legacy exchange permissions and prepare AD.
    Installation was fine. i also replicated public folders from 2003 to 2010 and i also moved the 10 mailboxes from 2003 to 2010.
    Active sync and OWA is working fine. I installed all Roles Mailbox,CAS,Hub Transport on One server and after the installation exchange installed a self signed certificate which it does when we install a CAS server.
    I also purchased a SAN certificate from Go Daddy
    I installed the Go daddy certificate and it works fine.
    I assigned the IIS,SMTP,IMAP,POP3 services to Go daddy certificate but if i look in EMC or Get-exchange certificate in shell it shows IMAP,SMTP,POP are also assigned to Exchange self signed certificate. Should i remove the exchange self signed certificate or left it there as it is.?
    i also created a Srv record in DNS for autodiscover pointing to cas Array.
    The issue that i am getting is some users that i moved to exchange 2010 are reporting that they are sometimes receiving pop up error message when they open outlook .

    First error. Allow this website to configure user@domain.com server settings. your account has redirected to this website for settings. this error is random not continuos and sometimes the users who are still on exchange 2003 sometimes gets this error. Whenever i create a new outlook profile for user either on exchange 2003 , I receive this pop up error.

    Second Error . Its a certificate error and the information on that error is.
    1. Security certificate is from trusted Authority.
    2. Certificate Date is valid.
    3. The name on the Security certificate is invalid or does not match the name of the site. Do you want to proceed . Yes or NO.

    FYI.
    I have added 5 alternate names on the SAN certificate from go daddy.
    One of them is server.domain.com
    I created a cas array with name outlook.domain.com and this name is also on certificate. I added exchange server to this cas array.
    If i click control and right click on outlook icon in taskbar and then test connection it shows that the outlook is connected to cas Array that i connected.
    I dont know whats wrong here. why users are receiving certificate error and not everyday its random. if i look into the certificate error it shows the word Common name, May be you know .

  12. Andy Dobbs

    Do we need to restart IIS after the service has been assigned to a certificate for owa, Activesynch etc?
    What is the syntax of the entry into a mobile device to attach via activesynch?

  13. Brian B

    Hi Paul first let me say great website and Book. I have an issue possibly in regards to this issue. I have inhereted a position where my first project is to complete the 2010 migration from a mixed exchange environemnt. Here is my issue. I am recieving the error message “Security Alert [CAS-SVR2007.domain.com] The name on the security certificate is invalid or does not match the name of the site” The user in question is a user recently migrated to 2010 mailbox data base. I’m not sure why its looking at the 2007 CAS server when the mail box has been migrated to 2010.

    old system: 2003 backend –> CAS-SVR2007 Frontend. New System: EX0A-EX0B (DAG configured), EX0B CAS 2010. SAN ctertificate is configured for new exchange system

    1. Avatar photo
      Paul Cunningham

      Hi Brian, if you’ve got both Ex2007 and Ex2010 CAS in the same AD Site then Outlook 2007/2010 clients can and will connect to either one for various web services (eg Autodiscover, Availability) under different scenarios.

      Putting a trusted cert on the CAS would be the simplest fix. If you have an internal CA you can just issue the cert from there.

      1. Andy Dobbs

        Do we need to restart IIS after the service has been assigned to a certificate for owa, Activesynch etc?
        What is the syntax of the entry into a mobile device to attach via activesynch?

Leave a Reply