Exchange Server 2010 SSL Certificates

If it is your first time working with Exchange Server 2010 then you will quickly realise that you need to learn about the relationship between Exchange 2010 and SSL certificates.

Looking for information about Exchange 2013 SSL certificates instead? Click here to find out more.

SSL Requirements in Exchange Server 2010

Prior to Exchange Server 2007 an Exchange server could be deployed and by default would not require SSL for any of its communications.  The wise move when deploying Exchange Server 2003 (for example) was to install an SSL certificate for IIS and use SSL for external access (eg Outlook Web Access and ActiveSync).

However this was not mandatory and it certainly isn’t unusual to encounter legacy Exchange environments that allow external access over insecure HTTP connections.

For Exchange Server 2007, and then again with Exchange Server 2010, Microsoft changed the default behaviour so that SSL was required for many services, even when they are only used internally.  So a newly installed Exchange Server 2010 server that hosted the Client Access server role would have SSL enforced for services such as:

  • Outlook Web App
  • ActiveSync
  • Exchange Web Services
  • Outlook Anywhere

The administrator could disable that SSL requirement, but again the wise move is to protect Exchange Server 2010 communications with SSL encryption rather than allow them over insecure HTTP connections.

Because the SSL requirement is on by default the Exchange 2007 and Exchange 2010 servers are installed with a self-signed SSL certificate.  This self-signed certificate does the job of securing any SSL connections, however because it is self-signed no connecting clients or devices will trust it, so it is unsuitable for long term use.  The administrator needs to install a new SSL certificate for Exchange Server 2010.

If you’re using an internal DNS namespace that you don’t own or is not valid (eg, .local) you may also need to read How to Deal with SSL Requirements for Exchange when Certificate Authorities Won’t Issue You a Certificate

Exchange 2010 SAN Certificates

Administrators who have installed SSL certificates for Exchange before may be familiar with the general process involved.  But they might not be familiar with the SSL certificate requirements for Exchange Server 2010.

In short, Exchange Server 2010 will respond to connections on multiple names.  These names typically include:

  • The fully qualified domain name (FQDN) of the Exchange server, eg ex2.exchangeserverpro.net
  • DNS aliases for external access, eg mail.exchangeserverpro.net or webmail.exchangeserverpro.net
  • The Autodiscover name of each SMTP namespace in the organization, eg autodiscover.exchangeserverpro.net

This makes a standard single-name SSL certificate unsuitable.  Instead, Exchange Server 2010 must be installed with a SAN certificate.

SAN stands for Subject Alternative Names and is a type of SSL certificate that has an attribute that stores additional names for the SSL certificate to apply to.  For example, here is the certificate used to secure Outlook Web App for Microsoft.

Exchange 2010 SSL certificate used by Microsoft

Exchange 2010 SSL certificate used by Microsoft

In Exchange Server 2007 it was possible to make a series of configuration changes so that a single-name SSL certificate would work.  However these changes were complex, especially in larger environments, and the cost to perform and maintain them (in terms of administrative time spent) far outweighed the cost of a genuine SAN certificate from a commercial Certificate Authority.

Where to Buy SSL Certificates for Exchange 2010

There are lots of commercial Certificate Authorities to choose from when buying an SSL certificate for your Exchange Server 2010 servers.

My recommendation is to use Digicert’s Unified Communications Certificate, which I like for the pricing, generous licensing terms, and support such as unlimited reissues of the certificate (if for example you forget one of the alternative names the first time you request the certificate).

How to Install an SSL Certificate for Exchange Server 2010

The process to acquire and install an Exchange 2010 SSL certificate is as follows.

  1. Generate a new certificate request using the wizard built in to Exchange Server 2010
  2. Submit the certificate request to your chosen Certificate Authority
  3. Install the issued SSL certificate on the Exchange 2010 server
  4. Assign the new SSL certificate to the appropriate services on the Exchange 2010 server

The complete process is demonstrated in this article:

If you are performing these steps for training or demo lab purposes you may wish to save money and issue the certificate from a private Certificate Authority instead.  If that is the case then follow the steps in this article:

When using private Certificate Authorities you can potentially encounter trust issues that prevent Exchange 2010 from using the certificate.  See this article for details of how to fix this problem:

And finally, in some network environments with restricted access to the internet you may find the new SSL certificate can’t be used by Exchange 2010 because it can’t check it against the certificate revocation list.  If that happens to you follow the steps in this article to solve the problem:

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Erick Perez says:

    Just to let you know that you should add the certificate authority COMODO. Your page hits almost at top in our country for exchange 2010 certificates (google serch). We however, use COMODO mainly because prices are extremely cheaper than verisign. And security is not a concern because all the Cert Authorities out there are supposed to comply with strict standards in the industry.

    Anyways, excellent article.

  2. Paul,
    I read several of your articles concerning Exchange 2010 certificates since I just installed SBS 2011 for a client.
    In your article, under ‘Where to buy SSL certificates for Exchange 2010′ , you recommend the DigiCert Unified Communications certificate. However, based on the DigiCert website’s info and my own experience the DigiCert UC certificate does not include SSL certification. After having installed the UC certificate OWA still complains that the web site certificate (self-signed) is untrusted.
    Looks like the SSL certificate is sold separately and is also needed from DigiCert to complement the UC certificate.
    Like the other comment says, otherwise this is a helpful and well written article which certainly put me on the right path to solving many of my certificate installation related questions.

    • “After having installed the UC certificate OWA still complains that the web site certificate (self-signed) is untrusted.”

      If you’re connecting to OWA and still seeing the self-signed cert then it indicates that you have not enabled the new certificate for the correct services.

      Note the four step process after the “Where to buy…” section in the “How to install…” section. Step 4 is:

      “Assign the new SSL certificate to the appropriate services on the Exchange 2010 server”

      That is demonstrated towards the end of this article on configuring an SSL certificate for Exchange 2010:

      http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010

  3. Hi Paul – what do we do when we can no longer get SAN certs with .local addresses in them? Can we get Exch 2010 to function properly with just the public FQDNs in the SAN cert?

    Thanks,
    Matt

    P.S. Great site by the way.

    • Paul
      I commented on a recent article you submitted discussing Exchange 2013 DAGs. I have a question about SSL Certificates and how they work in a DAG. Currently we have a UC cert on our Exchange 2007 server. In a DAG, do you need a cert on each server? I suspect you do, but can you explain how this should work in the new 2013 Exchange DAG?

  4. hi,

    i Want to ask you a question when publishing outlook anywhere ( for exchange 2007/2010 ) do we need a public
    certificate or the Private CA enough ?
    and thanks in advanced.

  5. ayari islem says:

    the generated .req file is corrupted we c’ant generate a certi what shoud we do nowing that we have local cert autoraty

  6. hi,

    do i need a ssl certificate for Active sync for mobile devices

  7. Todd Richards says:

    Paul,
    Great resource.
    If we plan to move the mailboxes from E2k3 to 2010 over a weekend, can we just export/import our current simple mail.domain.com certificate?

    Thx.

  8. Todd Richards says:

    “This makes a standard single-name SSL certificate unsuitable. Instead, Exchange Server 2010 must be installed with a SAN certificate.”

    Guess this answers my question unless it really can be worked around.
    Doesn’t installing E2010 immediately break E2k3 mobile access?

    Since Exchange without mobile access is almost useless in this day and age, how the heck can we achieve zero down-time if we have to install E2010 generate a certificate and wait for validation?

    Thanks for putting up with me!

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.