When you are configuring SSL certificates for Exchange Server 2013 you may choose to issue the certificates from a private certificate authority rather than a commercial CA.

This is a common approach for non-production systems or those that will not be internet-facing and so will only receive connections from domain-joined clients that already trust the private CA.

The first step is to generate the certificate request for the Exchange 2013 server.

When you have the certificate request file ready open a web browser and navigate to the web enrolment page for the private CA. Click on Request a Certificate.

How to Issue an SSL Certificate for Exchange Server 2013 from a Private Certificate Authority
Request a new certificate from the private certificate authority

Choose to submit an advanced certificate request.

How to Issue an SSL Certificate for Exchange Server 2013 from a Private Certificate Authority
Submit an advanced certificate request

Choose the second option, to submit a certificate request using a file.

How to Issue an SSL Certificate for Exchange Server 2013 from a Private Certificate Authority
Submit a certificate request file

Open your certificate request file in Notepad and copy the contents into the form, then change the certificate type to Web Server.

How to Issue an SSL Certificate for Exchange Server 2013 from a Private Certificate Authority
Copy/paste the saved certificate request

Click Submit when you are ready and the CA will begin processing the request. When it is complete you can click the link to download the certificate to your computer.

How to Issue an SSL Certificate for Exchange Server 2013 from a Private Certificate Authority
Download the new SSL certificate

The next steps in the process of configuring SSL certificates for Exchange 2013 are:

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.


  1. rino

    what happens to OWA users if we use private CAs?
    or smartphone users where they check their emails?

  2. David Napolitan

    Paul, I do not have a selection for submit an advanced certificate request. The option is missing. I keep reading that it must be enabled. But how is it enabled?

  3. Salman

    Hi Paul,

    I was able to fix the problem stated earlier where the certificate download page was not appearing , instead the same request page with blank text boxes was coming. I googled and got a turn around and did this:

    certreq -submit -attrib “CertificateTemplate:WebServer” c:certreqfile.req

    a prompt appeared to select the ca server, i selected the normal one without the kerberos option and the certificate was issued.


  4. Salman

    Hi Paul,

    I have installed a test domain adatum.com, when im trying to generate the certificate using above procedure with code copied and certificate template selected as webserver, I press the submit button, the download certificate page does not come rather the same page returns with empty text boxes.

    Can you please help me out in this. The CA was installed properly and the steps to request a certreq.req was also followed properly using your earlier post: https://www.practical365.com/create-ssl-certificate-request-exchange-2013/


  5. David Hubert

    Thanks for your post, Very useful. I’m about to install Exchange 2013. Concerned however that using our internal domain CA, Outlook will give untrusted Certificate errors even to internal clients on our own LAN, due to the fact that Exchange 2013 uses “Outlook Anywhere”. I can cope with a few external users OWA, but to have to manually install certificates on each and every internal Outlook client will be a pain!

    1. Avatar photo
      Paul Cunningham

      You want the clients to trust the CA. An enterprise CA should be trusted already by domain members. If you’re deploying a standalone CA you can deploy the root certificate to the trusted store of your domain-joined clients via Group Policy.

      Using an internal CA is not really the best option. I do it for test lab scenarios but for production I always use a public CA. The certificate only costs a few hundred dollars per year.

  6. Patrick

    Hi Paul,

    I have generated the certificate request for the Exchange 2013 server. But I choose all the domain in the selection. Have also installed the Cert Service on the same server. Not when I refresh the ECP cannot start at all. Error message showing server uses an invalid security certificate. The certificate is not trusted because it is self-signed. What should I do now?

    Appreciate your help.


    1. Avatar photo
      Paul Cunningham

      Installing certificate services on the Exchange server is a bad idea. I recommend you remove it.

      Other than that, you say you’ve generated the CSR but that is not the end of the process. There are further steps linked at the end of the article.

  7. Fred

    Hi Paul,

    Can you tell me how to submit the request to the CA server when it does not have a web server on it?
    Or where to start looking for the how to do this.

    I think the CA is 2003 but is now on a 2008 R2 server now, that is on a DC.

  8. Pablo

    Hi, Paul, thanks for this post.

    Can i install Certificate Services Windows Server 2012 on the same computer i have installed Exchange 2013?

  9. Alexandr

    Thank you very helpful!

    Russia. Moscow.

  10. cuocdoi

    Hi Paul,

    when I open certificate:
    the screen displays error as follow

    HTTP Error 404.0 – Not Found
    The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
    1. Module IIS Web Core
    2. Notification MapRequestHandler
    3. Handler StaticFile
    4. Error Code 0x80070002
    5. Requested URL https://servername:443/certsrv
    6. Physical Path C:inetpubwwwrootcertsrv
    7. Logon Method Anonymous
    8. Logon User Anonymous

    Could you please arrange your time to take a look at my problem and show me how to fix it ?

    1. cuocdoi

      besides, I also create a folder “certsrv” into C:inetpubwwwroot, but cannot access certificate page

      1. Avatar photo
        Paul Cunningham

        That indicates to me that you have not installed the web enrollment feature when you set up your CA.

Leave a Reply