How to Assign an SSL Certificate to Services in Exchange Server 2013

When an SSL certificate has been installed on an Exchange 2013 server it is not automatically enabled for any of the Exchange services such as IIS (for OWA, Outlook Anywhere, ActiveSync etc), POP, IMAP or SMTP.

The administrator must manually assign the certificate to the services that the SSL certificate is intended to be used for.

In the Exchange Administration Center navigate to Servers -> Certificates and choose the server that has the SSL certificate you wish to assign. The certificate must already been in a valid status before you can proceed further.

View the list of valid SSL certificates on the Exchange 2013 server

Click the edit icon and then select Services.

Edit the config of the SSL certificate to assign Exchange 2013 services

Tick the boxes for the services that you wish to assign the SSL certificate to, then click Save. The typical services to assign to an SSL certificate are IIS and SMTP.

See also Checkboxes Greyed Out When Managing Services for an Exchange 2013 SSL Certificate.

If you are overwriting existing certificates you will be prompted to confirm that.

Confirm overwriting existing certificates assigned to services

If you are using the same SSL certificate on multiple servers you can also export/import the certificate to those servers.

To test that the SSL certificate is working you can browse to the Outlook Web App URL for that server and see whether you receive an invalid certificate warning from your web browser.

Testing certificate validity using OWA

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Very informative article. I was trying to do the same method of creating, importing and enabling certs i used in 2007, and it more or less failed. Seems they changed the semantics of the powershell commands. So here is a question, I have deployed my new certs. In the past (2007) you removed the old certs. However there are 3 default certs, I am unsure if I am supposed to remove them or not, especially one of them CN=WMSvc. That sounds important?

    • The shell parameters have changed a bit I think. 2010/2013 make it much easier to use the console/EAC tools to manage certs (for most scenarios) so I generally recommend people just use those.

      You can leave the default certs there.

  2. Should we delete the old self signed certs after we get our new certificates or just leave them as is? Thank you for great information on Exchange 2013!

  3. cuocdoi says:

    Hi Paul,

    For internal user/non-domain PC, do I need to create certificate ? and do I need to configure DNS record ?

    • I generally recommend creating new certificates instead of relying on the self-signed ones.

      Yes you’ll need to create DNS records for any names/aliases you plan to use for different services (eg mail.domain.com).

  4. Doug Ickes says:

    I currently have a certificate from GODaddy on my existing production Exchange 2007 Server. I am now adding Exchange 2013 to my domain to run in parallel until I have all of my mailboxes migrated. How can I take the existing cert that is running on the 2007 server and add the Exchange 2013 server to it as well,.

    My cert from GoDaddy allows for multiple domains/servers. Can I just add the new server to the cert then download and import to the 2013 Server?

  5. Sharkking says:

    Hi there,

    does anyone made it to use a wildcard cretificate with exchange 2013 and imap ?

    WARNING: This certificate with thumbprint and subject ‘*.domain.tld’ cannot used
    for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
    Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

    Trying to set the fqn gives no error

    [PS] C:\Windows\system32>Set-IMAPSettings -server -X509CertificateName mail.domain.tld
    WARNING: Changes to IMAP4 settings will only take effect after all Microsoft Exchange IMAP4 services are restarted

    after service restart same error as above when trying to enable ssl.

  6. Hoping you can help Paul,

    I’ve setup a single server Exchange 2013 env, external webmail.domain.com and internally they access Outlook Anywhere with either exchangeserver.ad.domain.com or autodiscover.ad.domain.com (not sure which), I have two Wildcard Certs. *.ad.domain.com and *.domain.com.

    How can I secure the webmail.domain.com with the one External *.domain.com SSL cert and the other Internal outlook anywhere, which in my mind is still IIS with a different internal cert for *.ad.domain.com internally? It seems one or the other… ?

    Appreciate your thoughts…

  7. @Ryan,

    Hi Ryan,
    Did you ever get a solution for your problem, we have a similar issue we are facing and would appreciate any feedback from your experience.
    Thanks in advance
    Rick.

  8. @Rick

    I did in the end. There’s a tool I used which takes the urls per service and the certificates you want and goes through ex2013 setting all the vdirs etc in the way I needed. I was initially sus about anything other than my hands meddling with exchange but it came recommended by another internal exchange engineer here, and worked a treat.

    And the url you’re no doubt hanging out for is this I think from a quick mobile search. http://www.digicert.com/internal-domain-name-tool.htm

    Best of luck!

    Ryan

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.