Home » Exchange Server » How to Issue an SSL Certificate for Exchange Server 2013 from a Private Certificate Authority

How to Issue an SSL Certificate for Exchange Server 2013 from a Private Certificate Authority

When you are configuring SSL certificates for Exchange Server 2013 you may choose to issue the certificates from a private certificate authority rather than a commercial CA.

This is a common approach for non-production systems or those that will not be internet-facing and so will only receive connections from domain-joined clients that already trust the private CA.

The first step is to generate the certificate request for the Exchange 2013 server.

When you have the certificate request file ready open a web browser and navigate to the web enrolment page for the private CA. Click on Request a Certificate.

Request a new certificate from the private certificate authority

Choose to submit an advanced certificate request.

Submit an advanced certificate request

Choose the second option, to submit a certificate request using a file.

Submit a certificate request file

Open your certificate request file in Notepad and copy the contents into the form, then change the certificate type to Web Server.

Copy/paste the saved certificate request

Click Submit when you are ready and the CA will begin processing the request. When it is complete you can click the link to download the certificate to your computer.

Download the new SSL certificate

The next steps in the process of configuring SSL certificates for Exchange 2013 are:

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. cuocdoi says:

    Hi Paul,

    when I open certificate:
    the screen displays error as follow

    HTTP Error 404.0 – Not Found
    The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
    1. Module IIS Web Core
    2. Notification MapRequestHandler
    3. Handler StaticFile
    4. Error Code 0x80070002
    5. Requested URL https://servername:443/certsrv
    6. Physical Path C:inetpubwwwrootcertsrv
    7. Logon Method Anonymous
    8. Logon User Anonymous

    Could you please arrange your time to take a look at my problem and show me how to fix it ?

  2. Pablo says:

    Hi, Paul, thanks for this post.

    Can i install Certificate Services Windows Server 2012 on the same computer i have installed Exchange 2013?

  3. Fred says:

    Hi Paul,

    Can you tell me how to submit the request to the CA server when it does not have a web server on it?
    Or where to start looking for the how to do this.

    I think the CA is 2003 but is now on a 2008 R2 server now, that is on a DC.

  4. Patrick says:

    Hi Paul,

    I have generated the certificate request for the Exchange 2013 server. But I choose all the domain in the selection. Have also installed the Cert Service on the same server. Not when I refresh the ECP cannot start at all. Error message showing server uses an invalid security certificate. The certificate is not trusted because it is self-signed. What should I do now?

    Appreciate your help.


    • Installing certificate services on the Exchange server is a bad idea. I recommend you remove it.

      Other than that, you say you’ve generated the CSR but that is not the end of the process. There are further steps linked at the end of the article.

  5. David Hubert says:

    Thanks for your post, Very useful. I’m about to install Exchange 2013. Concerned however that using our internal domain CA, Outlook will give untrusted Certificate errors even to internal clients on our own LAN, due to the fact that Exchange 2013 uses “Outlook Anywhere”. I can cope with a few external users OWA, but to have to manually install certificates on each and every internal Outlook client will be a pain!

    • You want the clients to trust the CA. An enterprise CA should be trusted already by domain members. If you’re deploying a standalone CA you can deploy the root certificate to the trusted store of your domain-joined clients via Group Policy.

      Using an internal CA is not really the best option. I do it for test lab scenarios but for production I always use a public CA. The certificate only costs a few hundred dollars per year.

  6. Salman says:

    Hi Paul,

    I have installed a test domain adatum.com, when im trying to generate the certificate using above procedure with code copied and certificate template selected as webserver, I press the submit button, the download certificate page does not come rather the same page returns with empty text boxes.

    Can you please help me out in this. The CA was installed properly and the steps to request a certreq.req was also followed properly using your earlier post: http://practical365.com/create-ssl-certificate-request-exchange-2013/


  7. Salman says:

    Hi Paul,

    I was able to fix the problem stated earlier where the certificate download page was not appearing , instead the same request page with blank text boxes was coming. I googled and got a turn around and did this:

    certreq -submit -attrib “CertificateTemplate:WebServer” c:certreqfile.req

    a prompt appeared to select the ca server, i selected the normal one without the kerberos option and the certificate was issued.


  8. David Napolitan says:

    Paul, I do not have a selection for submit an advanced certificate request. The option is missing. I keep reading that it must be enabled. But how is it enabled?

Leave a Reply

Your email address will not be published. Required fields are marked *