How to Assign an SSL Certificate to Services in Exchange Server 2013

When an SSL certificate has been installed on an Exchange 2013 server it is not automatically enabled for any of the Exchange services such as IIS (for OWA, Outlook Anywhere, ActiveSync etc), POP, IMAP or SMTP.

The administrator must manually assign the certificate to the services that the SSL certificate is intended to be used for.

In the Exchange Administration Center navigate to Servers -> Certificates and choose the server that has the SSL certificate you wish to assign. The certificate must already been in a valid status before you can proceed further.

View the list of valid SSL certificates on the Exchange 2013 server

Click the edit icon and then select Services.

Edit the config of the SSL certificate to assign Exchange 2013 services

Tick the boxes for the services that you wish to assign the SSL certificate to, then click Save. The typical services to assign to an SSL certificate are IIS and SMTP.

See also Checkboxes Greyed Out When Managing Services for an Exchange 2013 SSL Certificate.

If you are overwriting existing certificates you will be prompted to confirm that.

Confirm overwriting existing certificates assigned to services

If you are using the same SSL certificate on multiple servers you can also export/import the certificate to those servers.

To test that the SSL certificate is working you can browse to the Outlook Web App URL for that server and see whether you receive an invalid certificate warning from your web browser.

Testing certificate validity using OWA

Comments

  1. Troy says

    Very informative article. I was trying to do the same method of creating, importing and enabling certs i used in 2007, and it more or less failed. Seems they changed the semantics of the powershell commands. So here is a question, I have deployed my new certs. In the past (2007) you removed the old certs. However there are 3 default certs, I am unsure if I am supposed to remove them or not, especially one of them CN=WMSvc. That sounds important?

    • says

      The shell parameters have changed a bit I think. 2010/2013 make it much easier to use the console/EAC tools to manage certs (for most scenarios) so I generally recommend people just use those.

      You can leave the default certs there.

  2. Jesse says

    Should we delete the old self signed certs after we get our new certificates or just leave them as is? Thank you for great information on Exchange 2013!

  3. cuocdoi says

    Hi Paul,

    For internal user/non-domain PC, do I need to create certificate ? and do I need to configure DNS record ?

    • says

      I generally recommend creating new certificates instead of relying on the self-signed ones.

      Yes you’ll need to create DNS records for any names/aliases you plan to use for different services (eg mail.domain.com).

  4. Doug Ickes says

    I currently have a certificate from GODaddy on my existing production Exchange 2007 Server. I am now adding Exchange 2013 to my domain to run in parallel until I have all of my mailboxes migrated. How can I take the existing cert that is running on the 2007 server and add the Exchange 2013 server to it as well,.

    My cert from GoDaddy allows for multiple domains/servers. Can I just add the new server to the cert then download and import to the 2013 Server?

  5. Sharkking says

    Hi there,

    does anyone made it to use a wildcard cretificate with exchange 2013 and imap ?

    WARNING: This certificate with thumbprint and subject ‘*.domain.tld’ cannot used
    for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
    Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

    Trying to set the fqn gives no error

    [PS] C:\Windows\system32>Set-IMAPSettings -server -X509CertificateName mail.domain.tld
    WARNING: Changes to IMAP4 settings will only take effect after all Microsoft Exchange IMAP4 services are restarted

    after service restart same error as above when trying to enable ssl.

  6. Ryan says

    Hoping you can help Paul,

    I’ve setup a single server Exchange 2013 env, external webmail.domain.com and internally they access Outlook Anywhere with either exchangeserver.ad.domain.com or autodiscover.ad.domain.com (not sure which), I have two Wildcard Certs. *.ad.domain.com and *.domain.com.

    How can I secure the webmail.domain.com with the one External *.domain.com SSL cert and the other Internal outlook anywhere, which in my mind is still IIS with a different internal cert for *.ad.domain.com internally? It seems one or the other… ?

    Appreciate your thoughts…

  7. Rick says

    @Ryan,

    Hi Ryan,
    Did you ever get a solution for your problem, we have a similar issue we are facing and would appreciate any feedback from your experience.
    Thanks in advance
    Rick.

  8. Ryan says

    @Rick

    I did in the end. There’s a tool I used which takes the urls per service and the certificates you want and goes through ex2013 setting all the vdirs etc in the way I needed. I was initially sus about anything other than my hands meddling with exchange but it came recommended by another internal exchange engineer here, and worked a treat.

    And the url you’re no doubt hanging out for is this I think from a quick mobile search. http://www.digicert.com/internal-domain-name-tool.htm

    Best of luck!

    Ryan

  9. Ignacio Beltran says

    Hi all, question, what types of certs exchange 2013 manages? does it allow wildcards, and multiple domains?

    Regards

  10. ElsaMccarter says

    Hi everyone, it’s my first pay a visit at this web page, and article is genuinely fruitful for me, keep up posting these articles.

  11. AthenaKrause says

    I’m extremely pleased to find this great site. I wanted to thank you for your time for this particularly wonderful read!! I definitely loved every little bit of it and i also have you book marked to check out new information on your site.

  12. Vahur says

    Maye you have some idea about a little problem?
    I want to let my users to use a receive connector for relay – it is authenticated and requires SSL.
    I have installed a certificate for: emailserver.company.com
    This sertificate is enabled for IISI, IMAP, and SMTP. With IIS and IMAP, it’s fine – but when i try to to a SMTP session over SSL, the server offers me the default self-sigen sertificate created during install (it works – but gives a security warning for the clients). Have been trying to tell Exchange to use the emailserver.compnany.com certificate for SMTP SLL conections, but failed. I just cant make the proper certifikace as “default”, and with SMTP it’s not that simple, as with other services – if i enable the next certificate for SMTP, the previous certificates stay enabled too.
    Any thoughts?

    • Jason Parsons says

      Hello, I have the same issue as above where my SMTP relay refuses to use the cert I purchased even though it is listed to use SMTP as one of the services. Did you get this resolved? And if so, how? – Thank you in advance!

      • Jason Parsons says

        Never mind, I got it figured out. You have to create a new Frontend Receive connector and change the FQDN of that new connector to the same as cert. ie. mail.domain.com

        Jason

  13. Michel Bernabela says

    Hi to all,

    I have a question regarding microsoft-server-activesync. I have installed a new exchange 2013 and outlook internally and owa externally (https://clientname.dyndns.org/owa) were working fine with the self-signed certificate generated during setup.

    After changing the external url for microsoft-server-activesync to “https://clientname.dyndns.org/Microsoft-Server-ActiveSync”, EAS was working but after a while now it sees a previous old certificate that I was using on the phones and that is expired.

    Also my externally “https://clientname.dyndns.org/OWA” is not working anymore and also is seeing this old certificate now. How can i solve this?

    Now only my outlook clients are connecting to outlook with the self signed certificate generated by the setup. Can I have my local outlook clients using the self signed certificate generated by the setup and create a new certificate only to be used by OWA and EAS for mobile?

    I really appreciate any help…

    • says

      Only one certificate can be bound to IIS on Exchange for use with OWA, EAS, and any other HTTPS services.

      Sounds like you’re seeing different results for internal vs external clients. That suggests to me that a firewall, reverse proxy, or load balancer is being used to handle the incoming connections from external devices, and that most likely has the old expired certificate still configured on it.

Leave a Reply

Your email address will not be published. Required fields are marked *