There are two methods you can use for generating a certificate request for Exchange Server 2016:
- The Exchange Admin Center (you can think of this as the GUI method)
- The Exchange Management Shell (or PowerShell, you can think of this as the command line method)
Generating the certificate request (or CSR) using the Exchange Admin Center is generally easier of the two options, and this tutorial will demonstrate how to do it.
To begin, open your web browser and connect to the URL for the Exchange Admin Center on one of your Exchange 2016 servers. After logging in, navigate to servers and then certificates.
If you have more than one Exchange server in your organization select the correct server from the drop down list, then click the “+” icon to start a new CSR.
Choose to create a request for a certificate from a certification authority.
Enter a friendly name for the certificate. You'll see this name in the list of certificates installed on the server, so make it something that you will easily recognise. For example, there's already a self-signed certificate named “Microsoft Exchange”, so call your new certificate something different such as “Exchange 2016 SAN Certificate”.
Although wildcard certificates are generally supported for Exchange Server 2016 I am not going to be installing a wildcard certificate in this example.
Choose a server to store the certificate request on. The same server is later used to complete the certificate request, and will be the first server that has the certificate installed. You can later export the certificate from this server and import it into other Exchange servers that have the same namespaces configured.
Next we select the domain names to include on the SSL certificate. You'll notice that the wizard has pre-populated the list based on the namespaces configured on the various Exchange services. However you may also notice if you scroll down that the server's real name is included in that list due to the default configuration of the POP and IMAP services, even if those services are not enabled. You can edit the entries at this step, but I find it easier to proceed to the next step and modify the list there instead.
At the next step you can select and remove any unwanted names, edit existing names, or add more names to the certificate request. In this example I've modified the list to include only the planned namespaces:
- mail.exchange2016demo.com (for HTTPS services)
- autodiscover.exchange2016demo.com (the Autodiscover CNAME that may be used by non-domain joined devices such as mobile phones)
- exchange2016demo.com (the root domain, which is optional and depends on your specific scenario, but it's harmless to include it if you're not sure)
Enter your organization information for the certificate request. This information will form part of the validation process by the certificate authority that is issuing your certificate, so using correct and valid details is important. If any of the details are incorrect the certificate authority may contact you for additional proof of ownership before they'll issue you a certificate, slowing down the whole process.
Enter a UNC path to save the certificate request to. The UNC path you provide must be accessible by the Exchange server's computer account, or by the Exchange Trusted Subsystem group. Simply choosing a UNC path that points to the Exchange server itself should be fine. You'll also need to be able to access the location yourself to be able to submit the request to the certificate authority.
Click Finish, and the certificate request will be generated in the UNC path you chose.