This article is an excerpt from the Exchange Server 2010 to 2013 Migration Guide.
For this Exchange 2013 upgrade project a new SSL (SAN) certificate is being provisioned for the Exchange 2013 servers. From the namespace and certificate planning part of this series we know that the following namespaces are required for the certificate:
- autodiscover.exchangeserverpro.net (HTTP – Autodiscover)
- mail.exchangeserverpro.net (HTTP – Outlook Anywhere, OWA, ECP/EAC, ActiveSync, EWS, OAB)
- imap.exchangeserverpro.net (IMAP)
- pop.exchangeserverpro.net (POP)
- smtp.exchangeserverpro.net (SMTP)
Note: the Exchange 2010 SSL certificate can be re-used if it contains the correct namespaces. You can export the SSL certificate from Exchange 2010 and import it into Exchange 2013. However, if the names on the certificate are not correct, or the certificate is due to expire soon anyway, you may find it easier to simply acquire a new SSL certificate.
To complete the SSL certificate configuration the following process is used:
- Generate a Certificate Request for Exchange 2013
- Submit the certificate request to the CA to generate the SSL certificate. For real world production environments I recommend Digicert for their competitive pricing, good support, flexible licensing, and free re-issues if you happen to make an error. For the purposes of this demonstration a private CA is being used by following these steps instead.
- Complete the pending certificate request
- Export/import an SSL certificate to multiple Exchange 2013 servers
- Assign the SSL certificate to services in Exchange 2013
The same SSL certificate is used on both servers. So the certificate can be acquired for EX2013SRV1, then exported and imported for EX2013SRV2. You should not provision separate SSL certificates for Client Access servers that will be accessed by clients via the same namespaces.
In the next part of this series we’ll begin configuring the Exchange 2013 server roles.
For more information see the Exchange Server 2010 to 2013 Migration Guide.