The first step in configuring a new SSL certificate for Exchange Server 2013 is to generate the certificate request.
More information about SSL certificates for Exchange Server 2013
In this example I am generating an SSL certificate request for a server named E15MB1 in the exchange2013demo.com domain, that is installed with the Client Access and Mailbox server roles. The server will be an internet-facing Client Access server, and so the following names will be included in the SSL certificate:
Note: this is an example only. Make sure you do the proper planning so that you include all of the required names in your own SSL certificate request.
The certificate request can be generated using the Exchange Administration Center.
Open the Exchange Administration Center in your web browser and navigate to Servers -> Certificates.
Click the “+” button to start the new Exchange certificate wizard. Choose to create a new certificate request and click Next to continue.
Give the new certificate a friendly name and click Next to continue.
Do not choose to create a wildcard certificate. Although wildcards are supported for Exchange they are not supported for some interoperability scenarios with other server products. Click Next to continue.
Click Browse and choose an Exchange server to store the certificate request (this is the server that will hold the pending certificate request while you wait for the certificate to be issued). In this example I am storing it on the server E15MB1. Click Next to continue.
Click the Edit button and enter the domain name that clients will be using to connect to each service, for example mail.exchange2013demo.com for OWA.
If multiple services such as OWA, OAB, OA, EWS and ActiveSync will be using the same external name you only need to enter the name once for one of the services, and then you can click Next to continue.
A consolidated list of names is presented. Note that the server's NetBIOS name (short name) will be present in this list, and other unwanted names may also appear, depending on how you completed the previous step. Remove any of the names that you do not want to be included in the SSL certificate.
In particular, a commercial certificate authority will not issue you a certificate for a server's NetBIOS name, an IP address, or a namespace that you can't verify that you own (eg a .local domain), so you must remove any of those names from your certificate request before you click Next to continue.
Enter your organization details and click Next to continue. For some certificate providers this information needs to match the information that is in the public WHOIS data for the domains that you are requesting a certificate for. If it does not match there may be some additional manual verification steps required before the certificate will be issued, which may slow down the process a little.
Enter a valid UNC path to store the certificate request file, and click Finish.
The pending certificate request is now visible in the Exchange Administration Center.
The certificate request file is also able to be found in the UNC path that was nominated.
The next step is to submit the certificate request to a CA so that the SSL certificate can be issued. For commercial certificate authorities I recommend using Digicert.
If you are planning to use a private CA instead then follow these instructions to submit the certificate request and download the SSL certificate.