You are here: Home / Tutorials / Create an SSL Certificate Request for Exchange Server 2013

Create an SSL Certificate Request for Exchange Server 2013

November 4, 2012 by 7 Comments

The first step in configuring a new SSL certificate for Exchange Server 2013 is to generate the certificate request.

More information about SSL certificates for Exchange Server 2013

In this example I am generating an SSL certificate request for a server named E15MB1 in the exchange2013demo.com domain, that is installed with the Client Access and Mailbox server roles. The server will be an internet-facing Client Access server, and so the following names will be included in the SSL certificate:

  • e15mb1.exchange2013demo.com
  • mail.exchange2013demo.com
  • autodiscover.exchange2013demo.com
  • exchange2013demo.com

Note: this is an example only. Make sure you do the proper planning so that you include all of the required names in your own SSL certificate request.

The certificate request can be generated using the Exchange Administration Center.

Open the Exchange Administration Center in your web browser and navigate to Servers -> Certificates.

Managing certificates in the Exchange Administration Center

Click the “+” button to start the new Exchange certificate wizard. Choose to create a new certificate request and click Next to continue.

Start the new Exchange certificate wizard

Give the new certificate a friendly name and click Next to continue.

Give the certificate a friendly name

Do not choose to create a wildcard certificate. Although wildcards are supported for Exchange they are not supported for some interoperability scenarios with other server products. Click Next to continue.

Do not request a wildcard certificate for Exchange 2013

Click Browse and choose an Exchange server to store the certificate request (this is the server that will hold the pending certificate request while you wait for the certificate to be issued). In this example I am storing it on the server E15MB1. Click Next to continue.

Select a server to place the pending certificate request

Click the Edit button and enter the domain name that clients will be using to connect to each service, for example mail.exchange2013demo.com for OWA.

Configure the names to add to the certificate request

If multiple services such as OWA, OAB, OA, EWS and ActiveSync will be using the same external name you only need to enter the name once for one of the services, and then you can click Next to continue.

A consolidated list of names is presented. If you were planning to use the same certificate for multiple Exchange 2013 servers you should add any additional server names to this list. However in this particular example I am requesting a certificate just for a single server.

Note that the server’s NetBIOS name (short name) will be present in this list if you did not modify the names for the POP and IMAP services.

Remove names that certificate authorities will not issue SSL certificates for

A commercial certificate authority will not issue you a certificate for a server’s NetBIOS name, so you must remove any of those names from your certificate request before you click Next to continue.

Enter your organization details and click Next to continue. For some certificate providers this information needs to match the information that is in the public WHOIS data for the domains that you are requesting a certificate for. If it does not match there may be some additional manual verification steps required before the certificate will be issued, which may slow down the process a little.

Enter your organization details

Enter a valid UNC path to store the certificate request file, and click Finish.

Choose the location for the certificate request file to be generated

The pending certificate request is now visible in the Exchange Administration Center.

A pending certificate request for Exchange 2013

The certificate request file is also able to be found in the UNC path that was nominated.

The certificate request file

The next step is to submit the certificate request to a CA so that the SSL certificate can be issued. For commercial certificate authorities I recommend using Digicert.

If you are planning to use a private CA instead then follow these instructions to submit the certificate request and download the SSL certificate.

 

Filed Under: Tutorials Tagged: , ,

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Ajay says:
    February 12, 2013 at 2:09 am

    hi,

    im having problems with internal outlook users connecting to exchange 2013. can you please confirm that i do indeed need a CA cert for internals clients to connect to the exchange 2013 server, or is the the cert only for external users?

    any help would be much appricated. thanks in advanced.

    Ajay Paul

    Reply
  2. Prashant says:
    May 15, 2013 at 10:49 pm

    Hi,

    I am unable to configure outlook.It is showing.There is a problem servers’s security cerficats.

    Reply
  3. Prashant says:
    May 15, 2013 at 10:54 pm

    Hi,

    I have 3 windows 2008 servers.
    1.192.168.0.1 AD/DNS
    2.192.168.0.2 Member of domain/Exch2013
    3.192.168.0.3 Member of domain/Exch 2013. I am unable to configure outlook account.

    Reply

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.
Loading...

Still running Exchange 2003? Time to get moving and start your upgrade. Find out how - Click Here