When you are configuring SSL certificates for Exchange Server 2013 you may choose to issue the certificates from a private certificate authority rather than a commercial CA.
This is a common approach for non-production systems or those that will not be internet-facing and so will only receive connections from domain-joined clients that already trust the private CA.
The first step is to generate the certificate request for the Exchange 2013 server.
When you have the certificate request file ready open a web browser and navigate to the web enrolment page for the private CA. Click on Request a Certificate.
Choose to submit an advanced certificate request.
Choose the second option, to submit a certificate request using a file.
Open your certificate request file in Notepad and copy the contents into the form, then change the certificate type to Web Server.
Click Submit when you are ready and the CA will begin processing the request. When it is complete you can click the link to download the certificate to your computer.
The next steps in the process of configuring SSL certificates for Exchange 2013 are:
what happens to OWA users if we use private CAs?
or smartphone users where they check their emails?
Paul, I do not have a selection for submit an advanced certificate request. The option is missing. I keep reading that it must be enabled. But how is it enabled?
Pingback: Avoiding Server Names in SSL Certificates for Exchange Server 2013
Hi Paul,
I was able to fix the problem stated earlier where the certificate download page was not appearing , instead the same request page with blank text boxes was coming. I googled and got a turn around and did this:
certreq -submit -attrib “CertificateTemplate:WebServer” c:certreqfile.req
a prompt appeared to select the ca server, i selected the normal one without the kerberos option and the certificate was issued.
Regards,
Salman
Hi Paul,
I have installed a test domain adatum.com, when im trying to generate the certificate using above procedure with code copied and certificate template selected as webserver, I press the submit button, the download certificate page does not come rather the same page returns with empty text boxes.
Can you please help me out in this. The CA was installed properly and the steps to request a certreq.req was also followed properly using your earlier post: https://www.practical365.com/create-ssl-certificate-request-exchange-2013/
Regards,
Salman
Thanks for your post, Very useful. I’m about to install Exchange 2013. Concerned however that using our internal domain CA, Outlook will give untrusted Certificate errors even to internal clients on our own LAN, due to the fact that Exchange 2013 uses “Outlook Anywhere”. I can cope with a few external users OWA, but to have to manually install certificates on each and every internal Outlook client will be a pain!
You want the clients to trust the CA. An enterprise CA should be trusted already by domain members. If you’re deploying a standalone CA you can deploy the root certificate to the trusted store of your domain-joined clients via Group Policy.
Using an internal CA is not really the best option. I do it for test lab scenarios but for production I always use a public CA. The certificate only costs a few hundred dollars per year.
Hi Paul,
I have generated the certificate request for the Exchange 2013 server. But I choose all the domain in the selection. Have also installed the Cert Service on the same server. Not when I refresh the ECP cannot start at all. Error message showing server uses an invalid security certificate. The certificate is not trusted because it is self-signed. What should I do now?
Appreciate your help.
Sincerely,
Patrick
Installing certificate services on the Exchange server is a bad idea. I recommend you remove it.
Other than that, you say you’ve generated the CSR but that is not the end of the process. There are further steps linked at the end of the article.
Hi Paul,
Can you tell me how to submit the request to the CA server when it does not have a web server on it?
Or where to start looking for the how to do this.
I think the CA is 2003 but is now on a 2008 R2 server now, that is on a DC.
Hi, Paul, thanks for this post.
Can i install Certificate Services Windows Server 2012 on the same computer i have installed Exchange 2013?
No I do not recommend doing that.
Thank you very helpful!
Russia. Moscow.
Hi Paul,
when I open certificate:
https://localhost/certsrv
the screen displays error as follow
======
HTTP Error 404.0 – Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
1. Module IIS Web Core
2. Notification MapRequestHandler
3. Handler StaticFile
4. Error Code 0x80070002
5. Requested URL https://servername:443/certsrv
6. Physical Path C:inetpubwwwrootcertsrv
7. Logon Method Anonymous
8. Logon User Anonymous
======
Could you please arrange your time to take a look at my problem and show me how to fix it ?
besides, I also create a folder “certsrv” into C:inetpubwwwroot, but cannot access certificate page
That indicates to me that you have not installed the web enrollment feature when you set up your CA.
Pingback: Installing SSL Certificates for Exchange 2013 | Bestemailserver.net