Home » Exchange Server » Create an SSL Certificate Request for Exchange Server 2013

Create an SSL Certificate Request for Exchange Server 2013

The first step in configuring a new SSL certificate for Exchange Server 2013 is to generate the certificate request.

More information about SSL certificates for Exchange Server 2013

In this example I am generating an SSL certificate request for a server named E15MB1 in the exchange2013demo.com domain, that is installed with the Client Access and Mailbox server roles. The server will be an internet-facing Client Access server, and so the following names will be included in the SSL certificate:

  • mail.exchange2013demo.com
  • autodiscover.exchange2013demo.com

Note: this is an example only. Make sure you do the proper planning so that you include all of the required names in your own SSL certificate request.

The certificate request can be generated using the Exchange Administration Center.

Open the Exchange Administration Center in your web browser and navigate to Servers -> Certificates.

Managing certificates in the Exchange Administration Center

Click the “+” button to start the new Exchange certificate wizard. Choose to create a new certificate request and click Next to continue.

Start the new Exchange certificate wizard

Give the new certificate a friendly name and click Next to continue.

Give the certificate a friendly name

Do not choose to create a wildcard certificate. Although wildcards are supported for Exchange they are not supported for some interoperability scenarios with other server products. Click Next to continue.

Do not request a wildcard certificate for Exchange 2013

Click Browse and choose an Exchange server to store the certificate request (this is the server that will hold the pending certificate request while you wait for the certificate to be issued). In this example I am storing it on the server E15MB1. Click Next to continue.

Select a server to place the pending certificate request

Click the Edit button and enter the domain name that clients will be using to connect to each service, for example mail.exchange2013demo.com for OWA.

Configure the names to add to the certificate request

If multiple services such as OWA, OAB, OA, EWS and ActiveSync will be using the same external name you only need to enter the name once for one of the services, and then you can click Next to continue.

A consolidated list of names is presented. Note that the server’s NetBIOS name (short name) will be present in this list, and other unwanted names may also appear, depending on how you completed the previous step. Remove any of the names that you do not want to be included in the SSL certificate.

Remove names that certificate authorities will not issue SSL certificates for

In particular, a commercial certificate authority will not issue you a certificate for a server’s NetBIOS name, an IP address, or a namespace that you can’t verify that you own (eg a .local domain), so you must remove any of those names from your certificate request before you click Next to continue.

Enter your organization details and click Next to continue. For some certificate providers this information needs to match the information that is in the public WHOIS data for the domains that you are requesting a certificate for. If it does not match there may be some additional manual verification steps required before the certificate will be issued, which may slow down the process a little.

Enter your organization details

Enter a valid UNC path to store the certificate request file, and click Finish.

Choose the location for the certificate request file to be generated

The pending certificate request is now visible in the Exchange Administration Center.

A pending certificate request for Exchange 2013

The certificate request file is also able to be found in the UNC path that was nominated.

The certificate request file

The next step is to submit the certificate request to a CA so that the SSL certificate can be issued. For commercial certificate authorities I recommend using Digicert.

If you are planning to use a private CA instead then follow these instructions to submit the certificate request and download the SSL certificate.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

31 comments

  1. Ajay says:

    hi,

    im having problems with internal outlook users connecting to exchange 2013. can you please confirm that i do indeed need a CA cert for internals clients to connect to the exchange 2013 server, or is the the cert only for external users?

    any help would be much appricated. thanks in advanced.

    Ajay Paul

  2. Prashant says:

    Hi,

    I have 3 windows 2008 servers.
    1.192.168.0.1 AD/DNS
    2.192.168.0.2 Member of domain/Exch2013
    3.192.168.0.3 Member of domain/Exch 2013. I am unable to configure outlook account.

  3. Michael says:

    What if you can’t put the CAS server/servers’ FQDN on the certificate? For example when you don’t own the internal domain naming rights and a provider such as godaddy refuses to put the name on the certificate because it can’t get verified?

  4. Paul. Can you explain why you choose not to use wildcard certificate. I have a customer that we are migrating from Exchange 2007 to Exchange 2013. The customer has a wildcard certificate and want to continue with it

  5. Hai Dang says:

    Thanks Paul,

    i have a question. If i have multi CAS in system (mailbox and cas were installed on the same SRV)

    MBX1.itlab.test
    MBX2.itlab.test

    and external, internal URL for outlook anywhere are: mail.itlab.test

    will i request certificate (https://mail.itlab.test) for only MBX1 or include MBX1 and MBX2

  6. MrMark says:

    Paul,
    Thanks for the article.
    Could I use the UC cert for my office web apps farm too? Proviced I add a hostname in the final request window above like wac.exchange2013demo.com?
    I know officewebapp wont allow a wildcard but will it allow the cert above?
    thanks

  7. David says:

    how does one generate a CSR? i installed exchange server 2013 but i am unable to get a certificate, i basically don’t know how to obtain one.

  8. Harry says:

    Hi Paul,

    Thank you for step by step instruction. I have a question. Once I follow the steps, it will create a certificate request that expire one year. However, my certificate vendor offers three year certificate with great discount, how can I create an Exchange 2013 certificate request that will expire in three years instead of default one year?

    Thanks,

    -H

  9. Alex says:

    Hi Paul,
    I’ve successfully issued and installed the certificates from Digicert as you have recommended, however, since I have not specified the individual CAS server names in the certificate, rather the “exchange.domain.com” address, the “Name on the security certificate is invalid or does not match the name of the site” error appears when opening outlook.

    Our certificate contains:
    exchange.domain.com
    http://www.domain.com.au

    my cas servers are called:
    exchange01.domain.com
    exchange02.domain.com

    Without adding the server names and re-issuing the certificate at an additional cost, what would you recommed I do if I wanted three green ticks in the outlook security alert box? Should I self-sign a certificate for my internal outlook users and name the two CAS servers in that or would that give me an error with the CA issuer?

    Thanks in advance,
    Alex

  10. Samir says:

    I have a problem with the outlook client
    Once i create the .req file ,outlook stop working and give error relayed to ssl proxy server

    Any ideas

  11. Altheuz says:

    Hi Paul,
    Thank you so much for all the helps and procedures that you give to us. unfortunately i cannot find a solution on how can I create a request for certificate that comes up in SHA2 or SHA256 in Exchange Server 2013, the CA tolds me that it only SHA1. I’d tried other solution from MS and Symantec but always resulting SHA1. hmm..
    Thanks in advance!!! cheers!

  12. Billy Davison says:

    Exchange server 2013- I try create a new Certificate and says I haven’t got the correct permissions although I’m a domain admin.

    • Domain Admin is not an Exchange permission. AD admin permissions and Exchange admin permissions are two different things. It’s entirely possible to be a Domain Admin and have no permissions to do stuff in Exchange.

  13. EGAIS says:

    Root domain field. If you don’t want to request a wildcard certificate and instead want to specify each domain that you want to add to the certificate, leave this page blank. Choose

  14. Jac says:

    We have 4 accepted domain names in exchange 2013. I followed single name space configuration. I have added webmail.domain.com and autodiscover.domain.com.
    For other remaining accepted domains what names should be added in the certificate? Only autodiscover.domain1.com ?

    Could you please advise.

Leave a Reply

Your email address will not be published. Required fields are marked *