Home » Exchange Server » How to Assign an SSL Certificate to Exchange Server 2010 Services

How to Assign an SSL Certificate to Exchange Server 2010 Services

After an SSL certificate has been installed on an Exchange Server 2010 server you can assign different Exchange services to use that certificate.

To assign a service to a certificate launch the Exchange Management Console.  Navigate to Server Management, and select the server that has the certificate installed.

If you encounter an error message of “The certificate is invalid for exchange server usage” see this article for the solution.

Right-click the certificate you wish to assign and choose Assign Services to Certificate.

Click Next to continue the wizard.

Choose the services you wish to assign to the certificate.  In this example I am choosing IIS so that the certificate can be used for OWA, ActiveSync, etc.

Click Assign to execute the change.

When the task has completed successfully click Finish to close the wizard.

The certificate will now appear with the chosen services assigned to it.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. Brian B says:

    Hi Paul first let me say great website and Book. I have an issue possibly in regards to this issue. I have inhereted a position where my first project is to complete the 2010 migration from a mixed exchange environemnt. Here is my issue. I am recieving the error message “Security Alert [CAS-SVR2007.domain.com] The name on the security certificate is invalid or does not match the name of the site” The user in question is a user recently migrated to 2010 mailbox data base. I’m not sure why its looking at the 2007 CAS server when the mail box has been migrated to 2010.

    old system: 2003 backend –> CAS-SVR2007 Frontend. New System: EX0A-EX0B (DAG configured), EX0B CAS 2010. SAN ctertificate is configured for new exchange system

    • Hi Brian, if you’ve got both Ex2007 and Ex2010 CAS in the same AD Site then Outlook 2007/2010 clients can and will connect to either one for various web services (eg Autodiscover, Availability) under different scenarios.

      Putting a trusted cert on the CAS would be the simplest fix. If you have an internal CA you can just issue the cert from there.

      • Andy Dobbs says:

        Do we need to restart IIS after the service has been assigned to a certificate for owa, Activesynch etc?
        What is the syntax of the entry into a mobile device to attach via activesynch?

  2. Andy Dobbs says:

    Do we need to restart IIS after the service has been assigned to a certificate for owa, Activesynch etc?
    What is the syntax of the entry into a mobile device to attach via activesynch?

  3. L Aulakh says:

    I Installed Exchange server 2010 as a coexistence with exchange server 2003 in 2003 domain functional level. with 2003 global catalogue server.
    I run the commands to prepare legacy exchange permissions and prepare AD.
    Installation was fine. i also replicated public folders from 2003 to 2010 and i also moved the 10 mailboxes from 2003 to 2010.
    Active sync and OWA is working fine. I installed all Roles Mailbox,CAS,Hub Transport on One server and after the installation exchange installed a self signed certificate which it does when we install a CAS server.
    I also purchased a SAN certificate from Go Daddy
    I installed the Go daddy certificate and it works fine.
    I assigned the IIS,SMTP,IMAP,POP3 services to Go daddy certificate but if i look in EMC or Get-exchange certificate in shell it shows IMAP,SMTP,POP are also assigned to Exchange self signed certificate. Should i remove the exchange self signed certificate or left it there as it is.?
    i also created a Srv record in DNS for autodiscover pointing to cas Array.
    The issue that i am getting is some users that i moved to exchange 2010 are reporting that they are sometimes receiving pop up error message when they open outlook .

    First error. Allow this website to configure user@domain.com server settings. your account has redirected to this website for settings. this error is random not continuos and sometimes the users who are still on exchange 2003 sometimes gets this error. Whenever i create a new outlook profile for user either on exchange 2003 , I receive this pop up error.

    Second Error . Its a certificate error and the information on that error is.
    1. Security certificate is from trusted Authority.
    2. Certificate Date is valid.
    3. The name on the Security certificate is invalid or does not match the name of the site. Do you want to proceed . Yes or NO.

    I have added 5 alternate names on the SAN certificate from go daddy.
    One of them is server.domain.com
    I created a cas array with name outlook.domain.com and this name is also on certificate. I added exchange server to this cas array.
    If i click control and right click on outlook icon in taskbar and then test connection it shows that the outlook is connected to cas Array that i connected.
    I dont know whats wrong here. why users are receiving certificate error and not everyday its random. if i look into the certificate error it shows the word Common name, May be you know .

  4. Anant says:

    I have already assigned iis service to third party certificate.

    now i need to assing the iis service to other third party certificate.

    how can i change the service binding to other certificate.

  5. Muhammad says:

    Hi Paul,

    When i run test-outlookwebservices it get error message when connecting to mail.mycompany.com/ews/exchange..asmx (outside address) received error a state connection failed because the connected party did not respond on time then it shows my external ip address:443 please advise i am using wild card and my firewall has https and http open for cas

  6. Fidel says:

    Hey Paul,
    Good article. Question for you – after installing a certificate from our internal CA, I cannot assign services in EMC. The certificate installs, however the “Assign…” link is missing.

    However, I was able to assign services using EMS:
    Enable-exchangecertificate -server ‘someCASserver’ -services ‘imap, pop, iis, smtp’ -thumbprint ‘

    Has anyone ever encountered this?


  7. Dennis says:

    Paul, I have two certs on my two Exchange boxes, holding all roles in a DAG. One is a wildcard *.domain.com, the other is mail.domain,com. Both certs are from an external CA. The wildcard has IIS and SMTP assigned, mail.domain.com POP, IMAP and SMTP. Both POP and IMAP are disabled services. The mail.domain.com cert is about to expire. Is it safe for me to simply remove the cert without causing any issues?

  8. Anthony says:

    Hi Paul,

    Wondering if you could help.

    I have an exchange 2010 DAG environment that I took over administration for. There were self signed certs expiring for the two servers that each have the Hub Transport and Client Access roles. I renewed those certs and restarted the transport services. Everything is good.

    Now I have two servers each with mailbox server roles with self signed certs expiring next week. Is the procedure to renew these any different, do I have to restart any exchange services afterwards?

  9. Ramandeep says:

    Do I need to resart any services after enabling an exchange certificate for services like IIS, SMTP?

    or does it automatically do it

Leave a Reply

Your email address will not be published. Required fields are marked *