During your planning for SSL certificates for Exchange 2013 you may have chosen to use the same certificate on multiple servers.
The process for acquiring a certificate to be used on multiple servers is almost identical to the process for a single server. During the Exchange 2013 certificate request wizard you enter the fully qualified domain names for the Client Access server namespaces that the SSL certificate will be used for. As you can see here these do not need to include actual server names.
After completing the certificate request on the first server where the certificate request was originally generated you can then export the certificate and import it to additional servers with the following steps.
In the Exchange Administration Center navigate to Servers -> Certificates and choose the server that has the SSL certificate already installed.
Highlight the certificate to be exported, then click the “…” (more) icon and choose Export Exchange Certificate.
Enter a valid UNC path and the name of the file you wish to export to, and a password for the exported certificate.
Complete the export Exchange certificate wizard.
Open the “more” icon again and this time choose Import Exchange Certificate (it does not matter at this stage which server you have selected in the drop-down list above the icons).
Enter the UNC path to the file again, and the same password you used during the export.
Click the “+” icon and add any Exchange 2013 servers that you wish to import the certificate to.
Click Finish to complete the import wizard.
After you have imported the certificate to a server you can then proceed with assigning the SSL certificate to Exchange services.
Can two mailbox servers use the same third party certificates.
Hello Paul,
After imported certificate in Exchange 2013 server clients started to receive certificate error after open outlook “certificate name does not match with site name”. What else steps are require to resolve this.
Thanks.
Hi Paul.
I’m trying to add a public signed wildcard cert to both my dag nodes. One shows the cert as “valid” but the other “invalid” . Both servers have trusted root cert/intermediate/private key for th CA. Removing/Re-adding cert and Rebooting makes no difference. Any ideas?
Thanks
Hi Vaiz, Could you share if you got any solution.
worked fine importing a wildcard cert to Exchange 2013, thanks
Hi Paul,
I have got few self-signed certificates .
1. “Microsoft Exchange Server Auth certificate” ,
2.”Microsoft Exchange”.
3.”Exchange Delegation Federation”.
These certificates are going to expire soon on CAS SERVER 1,CAS SERVER 2,MAILBOX SERVER 1 & MAILBOX SERVER 2 of my exchange server 2013 Enterprise in DAG .Each certificates on all of my 5 servers have same Thumbprint,same Serial numbers & same public key size .
So what i did was i went to exchange ecp Servers>Certificates and selected “Microsoft Exchange Server Auth certificate” of mailbox server 1 and clicked “renew” button from right side pane after few second a new certificate with the name “Microsoft exchange server Auth Certificate” was created with 5 years extended validity . My question is should i do the same process on all of my other servers (Mailbox server 2 ,cas server 1,cas server 2) or should i export the certificate from mailbox server 2 and import it to all of other exchange servers .
Please enlighten me which procedure i need to follow and will the same be applicable for other 2 certificates as well (that is certificate with the names “Microsoft Exchange” &
“Exchange Delegation Federation”.)
Thank you very much in advance ,Paul.
regards,
Sharaf
The Real Person!
The Real Person!
Self-signed certificates should not be exported/imported to other servers. If you have multiple servers then you should renew the self-signed certificates on each server.
Thank you very much paul 🙂
If I will use any of the exchange 2013 external web Services and that is have the public certificate installed in load balancer(third party), is it necessary to have this certificate installed in exchange server as well.
One more question I have ,if I am going to hybrid environment and only one exchange URL that is externally published in our environment and we need to have rest of the all external URL to be published, can we point the rest of the external URL to wap.
Can you export/import to other servers before you assign the services?
Or do you assign services on 1st server then export/import to other CAS servers?
Thanks!
The Real Person!
The Real Person!
You can export/import whether you’ve assigned services or not. They’re two separate operations.
Dear PAul
I have configured DAG in exchange 2016 (HA)
Exported from 1st exchange and Imported to 2nd exchange,
Now both exch 01 & exch 02 ON – then owa and outlook anywhere working fine.
but 2nd exch02 box OFF and exch 01 ON – then owa & outlook anywhere NOT working
and 2nd exch 02 box ON and exch 01 OFF – owa and outlook anyhwere working.
How to solve it, why owa not working if exch 02 is OFF (shut down mode)
kumar
The Real Person!
The Real Person!
You need to make your client access namespaces highly available, either by deploying a load balancer or by configuring DNS round robin.
Hi Paul
Hope i would get some pointers on the testing that i am doing in my testing.
I am trying to achieve Cert based authentication using Outlook 2016 (RPC) and Outlook Anywhere with Exchange 2013.
I have found a way to generate a dynamic certificates (User Certificates) using my IDM service provider which will generate the dynamic user certificates based on the Login name from the outlook authentication window at each user outlook session a cert will be generated and sent to Exchange & AD for authentication.
I am getting stuck at a place as how to begin with the configuration of Certificate Authority (CA) in AD and Exchange.
Any suggestion/pointers will be appreciated.
The Real Person!
The Real Person!
I don’t have any info on that scenario, sorry. Perhaps try TechNet?
Hi Paul ,
I want to bind the trusted CA certificate to the exchange service (intranet), which is right now running with self signed certificate. we need to configure some applications internally to utilize smtp which requires a trusted certificate. how can I do that
The Real Person!
The Real Person!
This should help.
https://www.practical365.com/exchange-server/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/
Hi paul
Currently i have a 2010 environment with dag and am planning to upgrade to 2013 and want to run both the environments parallely untill i complete the mail box migration from 2010 to 2013 Now am stuck with the certificate part of 2013 as i have 4 servers 2 for EX10 and 2 for EX10 how can i include both the environments in a single certificates and even for the CAS would you be able to help me on this.
The Real Person!
The Real Person!
If the certificate on the 2010 servers has the namespaces you’re going to use for 2013 (which is usually the case) then yes, you can usually re-use the certificate by exporting from 2010 and importing to 2013.
Hii Paul, We have 2 Exchange Servers 2013 ( Multiple Roles ( Mailbox and CAS)) configured. Both the Exchage servers are having different name space and external URL . But they are in DAG. So if i renew the CA , can i use the same certificate exported from Server 1 to server 2 or I need to issue a new one for server2?
The Real Person!
The Real Person!
You can use the same certificate if it has all the names you need on it.
I did all the steps as you mention , but it appears that the certificate is not valid, the CAS servers need internet to validate output ?? or may be an incompatibility problem
Sorry for confusing, the solution I think I got it.
One customer want to use single public IP hosting two different domain owa/ecp, like a.com and b.com, while a.com already has SAN certificate not includes b.com, now want to have b.com certificate to install on CAS server, which is NLBed,
Server front end there is no reverse proxy, only simple NAT,
Now if internal CAS server do not have addtional NIC with additional IP, and public do not have additional public IP, then the two cert for a.com and b.com coexisting will not work, right, as using same default-site virtual directory, unless to create additional virtual direct with additional IP(internal and external), I read through link as below reference
https://blogs.technet.microsoft.com/exchange/2015/02/11/configuring-multiple-owaecp-virtual-directories-on-the-exchange-2013-client-access-server-role/
Could you give me the suggestion.
The Real Person!
The Real Person!
Well that article explains how to create separate OWA virtual directories. Since those virtual directories are on a different IIS website, you can bind a different certificate to it.
hi,
i have one question, can 2 CAS with NLB to install 2 different certificate with 2 https proxy access for single public IP.
The Real Person!
The Real Person!
I don’t understand your question. What are you trying to do?
Paul,
I already have an existing Wildcard cert, but I can’t get it to install in the CAS side of my Exchange 2013 servers. It shows up in the MB server for some reason, but when I try to add it to the CAS, I get an error of ‘The Exchange Certificate operation has failed with an exception on the server \Servername. The error message is: Access Denied.”
When I look at the cert in my MB, the only services it offers as check boxes are SMTP and Microsoft Exchange Unified Messaging. Obviously I don’t want to go through the certificate setup, since I don’t need to purchase a cert, but I’m lost on how to resolve this issue, so my CAS will take my WC cert and I can continue.
The Real Person!
The Real Person!
Just guessing from the “Access Denied” error, the Exchange Trusted Subsystem group needs access to the UNC path where you’ve stored the exported certificate. Have you checked those permissions?
Hi Paul.
I tried to export certificate from my old server (to import it to my new server), but I got the following error:
“A special Rpc error occurs on server XERXES-1: The private key couldn’t be exported as PKCS-12. It either couldn’t be accessed or isn’t exportable.”
Any help would be appreciated.
Thanks in advance
New 2013 box, imported the .p7b cert thru MMC fine. Imported the .crt thru EAC and it does not show up. It does not show up in EMC either. If I try to import again it tells me the cert with thumbprint ***** already exists. So I cannot delete or edit the cert in EAC.
Any ideas?
Pingback: Office 365 Hybrid Exchange 2013 – Steps to set a New TLS Certificate – Microsoft Evangelist
Pingback: Performing a Like for Like Exchange Server Migration
Can you use the same SAN certificate for both Exchange 2010 and Exchange 2013 in the process of upgrading?
The Real Person!
The Real Person!
Yes.
Hi Paul,
Probably Galeboe situation applies to us too but, I just want to confirm. We are in co-existence 2010 and 2013. Since we changed External namespace we did not renewed Cert that was installed on 2010. We got new Cert with new namespace on Exchange 2013. Mailboxes are now on 2013 but, still Outlook shows “Security certificate is invalid or does not match” error. Is this because we don’t have new cert on Exchange 2010 ?
The Real Person!
The Real Person!
The Autodiscover URL on both Exchange 2010 and 2013 should be the same, and it should resolve in DNS to the Exchange 2013 server. That is the most likely cause of what you’re seeing, assuming your 2013 server is configured correctly.
Followed your instructions and it did resolved the issue. Thank you so much Paul, I really appreciate it.
Pingback: Recovering a Failed Exchange Server 2016 Server
I have two CAS servers. I have purchased an SSL cert and successfully installed it. I created the CSR on Server 1 and included Server 2 in the process. I successfully completed importing it on Server 1. The new SSL is listed and status is valid. In the same are I select Server 2 and successfully imported the new SSL. However, I don’t see it on the list of certs. Did I do something incorrect? Should I have submitted another csr request? How do I get the new SSL to show on the list on Server 2?
The Real Person!
The Real Person!
After you complete the SSL install process on Server1, then you export the cert from Server1 with its private key, and import to Server2.
I did this as well. I exported the completed process cert on Server1 and exported it. It exports it as a *.pfx file. I then select Server2 on the click on import, I specified Server on the wizard, then click finish. It imports successfully but it does list the new cert.
I can repeat the same process but I have to remove the cert from Server2 for it to successfully import. I’ve restarted IIS and the server as well, it still wont show up….. What am I doing wrong?
Nevermind Paul I got it to work.
I found this on https://www.tbs-certificates.co.uk/FAQ/en/529.html
I used Powershell and ran the following command.
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:certificatesExportedCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password | Enable-ExchangeCertificate -Services “SMTP, IMAP, POP, IIS”
Click Yes to overwrite.
Verified the Cert was not on Server2 still. Then reran the wizard to import and now it shows up.
Pingback: Reverse Proxy for Exchange’s Outlook Web Access (OWA) | Ubuntu – How To Do It
With multiple Exchange servers do you have to share the private key? Sharing the private key often compromises it if sufficient controls are not in place, I would prefer one certificate per server, is this recommended and are there any rules to follow if this is possible, please?
The Real Person!
The Real Person!
The cert must be exported with the private key so it can be imported and enabled on the other servers.
The recommended practice is to use the same certificate on all CAS that will be handling traffic for the same namespaces. If you use separate certificates clients will need to re-auth every time they switch CAS (eg for load balancing or because the CAS they were connecting to fails).
Hi Paul,
If we will use third party certificate for any of the external exchange web Services, is it mandatory that it needs to be installed on exchange server or if we will configure the certificate in load balanced (third party) that is also suffice the purpose
hello,
i have 2 server CAS connect to internet by proxy server. So i use “netsh winhttp set proxy” to active Cert to “Valid”. When i set account mail by Pop3S/IMapS. I have issue: “Send test email message your server does not support the connection encryption type you have special…”
So, What was wrong with me ? How i fix it ?
p/s: Sorry for my bad English.
Thanks you.
Hi Paul,
When I’m trying to export the cert to a folder I created on one of my server I’m getting “The exported data cannot be written to the file. Access denied”.
I have full permission for this folder as well as exchange trusted subsystem.
Thanks for your time.
The Real Person!
The Real Person!
Check the share and NTFS permissions again.
Thanks. I was able to save it on the server root.
Hi,
When I import pfx file using exchange ecp the certificate is imported but the friendly name field is empty and it does not let me edit it. Any idea how can I give a friendly name to certificate.
The Real Person!
The Real Person!
The friendly name is set when you first create the certificate request.
Hi Paul,
We’ve bought a certificate for server1 and get a status of “Revocation Check Failed”. We’re trying to get access to the public Ca so that this resolves.
I’ve exported the cert to a pfx (with private key) and sent to the load balancer team and it works with the lb.
Also used the pfx to import to the other 5 exchange 2013 servers. The status for these is “invalid” – any ideas?
Rgds,
Paul
Awesome, thanks so much for answering my question.
Hi Paul, i have a CAS server with all my names/urls setup and all is working well, i want to add 2 more additional CAS servers. Do i export the cert from the first one and then import it to the 2 new servers and then assign the services? I also need to make sure that the URL’s are the same as the first CAS as i will be removing it.
Please help.
thanks
The Real Person!
The Real Person!
Yes, and yes.
Thanks, so to confirm i dont need to run the certificate wizard?
The Real Person!
The Real Person!
Nope, export/import only. New cert wizard will generate a new cert, which is not the correct approach for multi-CAS sites.
I’ve followed these steps but I am getting “A certificate with thumbprint already exists” Error.
The Real Person!
The Real Person!
Sounds like the certificate already exists on that server.
i have the same error.
but when i select 2nd exchange server in the popup menu i dont see the same public certs in the 2nd exchange. seems that the ca wasnt applied to the second exchange server.
I am having the same issue. It already exhists on the server but I cannot see it in the Exchange admin center…..what gives?
Use the MMC certificate plugin to remove the duplicate.
Pingback: Fix Certificate Import Wizard Error Windows XP, Vista, 7, 8 [Solved]
Pingback: Highly Available L7 Load Balancing for Exchange 2013 with HAProxy – Part 3 | Notes from the field
You mentioned in your article on Exchange 2013 SSL certificates, that best practice is not to include the server names in the SAN certificate. How come you have included both exchange servers and the domain it in this article? Are there instances that this route (including the server names and domain) preferred than not? Thank you. Appreciate the presence of your website!
The Real Person!
The Real Person!
The recommendation is to not include server names. I need to update this article sometime.
1) Can you use the same domain name for OWA, OAB, EWS, Exchange ActiveSync, Autodiscover and Outlook Anywhere, on both “when accessed from the intranet” and “when accessed from the internet”? example of domain: email.company.edu
2) If you have 2 CAS and 2 Mailbox servers, Do you need a certificate for each server, or just the two CAS’s?
3) I read the the OAB is run on the Mailbox servers. does this mean you can not set this up on the CAS? If it can not run on the CAS, then with my topology, it would have to run on the Mailbox Server and that would mean I would need a certificate for all four servers?
The Real Person!
The Real Person!
1) Yes, using split DNS.
2) CAS only. You don’t need to mess with the certs on the Mailbox role.
3) OAB is generated by a Mailbox server, but it is distributed via CAS.
Hi Paul,
Do you know how to create a request for a cert that can be exported and import to TMG server? I think the private key needs to be set to “exportable”, but I don’t see anything from the UI to allow user to select that option.
Thanks,
The Real Person!
The Real Person!
Yep, you’ll need to drop into Powershell for that one. The New-ExchangeCertificate cmdlet has a parameter for making the private key exportable.
http://technet.microsoft.com/en-us/library/aa998327(v=exchg.150).aspx
I know this is old, but you can also use the digicert export utility.
I had to do this to get a correct cert for an apache server
Pingback: SSL Certificates for Exchange Server 2013