How to Assign an SSL Certificate to Exchange Server 2010 Services

After an SSL certificate has been installed on an Exchange Server 2010 server you can assign different Exchange services to use that certificate.

To assign a service to a certificate launch the Exchange Management Console.  Navigate to Server Management, and select the server that has the certificate installed.

If you encounter an error message of “The certificate is invalid for exchange server usage” see this article for the solution.

Right-click the certificate you wish to assign and choose Assign Services to Certificate.

Click Next to continue the wizard.

Choose the services you wish to assign to the certificate.  In this example I am choosing IIS so that the certificate can be used for OWA, ActiveSync, etc.

Click Assign to execute the change.

When the task has completed successfully click Finish to close the wizard.

The certificate will now appear with the chosen services assigned to it.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. Brian B says:

    Hi Paul first let me say great website and Book. I have an issue possibly in regards to this issue. I have inhereted a position where my first project is to complete the 2010 migration from a mixed exchange environemnt. Here is my issue. I am recieving the error message “Security Alert [CAS-SVR2007.domain.com] The name on the security certificate is invalid or does not match the name of the site” The user in question is a user recently migrated to 2010 mailbox data base. I’m not sure why its looking at the 2007 CAS server when the mail box has been migrated to 2010.

    old system: 2003 backend –> CAS-SVR2007 Frontend. New System: EX0A-EX0B (DAG configured), EX0B CAS 2010. SAN ctertificate is configured for new exchange system

    • Hi Brian, if you’ve got both Ex2007 and Ex2010 CAS in the same AD Site then Outlook 2007/2010 clients can and will connect to either one for various web services (eg Autodiscover, Availability) under different scenarios.

      Putting a trusted cert on the CAS would be the simplest fix. If you have an internal CA you can just issue the cert from there.

      • Andy Dobbs says:

        Do we need to restart IIS after the service has been assigned to a certificate for owa, Activesynch etc?
        What is the syntax of the entry into a mobile device to attach via activesynch?

  2. Andy Dobbs says:

    Do we need to restart IIS after the service has been assigned to a certificate for owa, Activesynch etc?
    What is the syntax of the entry into a mobile device to attach via activesynch?

  3. I Installed Exchange server 2010 as a coexistence with exchange server 2003 in 2003 domain functional level. with 2003 global catalogue server.
    I run the commands to prepare legacy exchange permissions and prepare AD.
    Installation was fine. i also replicated public folders from 2003 to 2010 and i also moved the 10 mailboxes from 2003 to 2010.
    Active sync and OWA is working fine. I installed all Roles Mailbox,CAS,Hub Transport on One server and after the installation exchange installed a self signed certificate which it does when we install a CAS server.
    I also purchased a SAN certificate from Go Daddy
    I installed the Go daddy certificate and it works fine.
    I assigned the IIS,SMTP,IMAP,POP3 services to Go daddy certificate but if i look in EMC or Get-exchange certificate in shell it shows IMAP,SMTP,POP are also assigned to Exchange self signed certificate. Should i remove the exchange self signed certificate or left it there as it is.?
    i also created a Srv record in DNS for autodiscover pointing to cas Array.
    The issue that i am getting is some users that i moved to exchange 2010 are reporting that they are sometimes receiving pop up error message when they open outlook .

    First error. Allow this website to configure user@domain.com server settings. your account has redirected to this website for settings. this error is random not continuos and sometimes the users who are still on exchange 2003 sometimes gets this error. Whenever i create a new outlook profile for user either on exchange 2003 , I receive this pop up error.

    Second Error . Its a certificate error and the information on that error is.
    1. Security certificate is from trusted Authority.
    2. Certificate Date is valid.
    3. The name on the Security certificate is invalid or does not match the name of the site. Do you want to proceed . Yes or NO.

    FYI.
    I have added 5 alternate names on the SAN certificate from go daddy.
    One of them is server.domain.com
    I created a cas array with name outlook.domain.com and this name is also on certificate. I added exchange server to this cas array.
    If i click control and right click on outlook icon in taskbar and then test connection it shows that the outlook is connected to cas Array that i connected.
    I dont know whats wrong here. why users are receiving certificate error and not everyday its random. if i look into the certificate error it shows the word Common name, May be you know .

  4. I have already assigned iis service to third party certificate.

    now i need to assing the iis service to other third party certificate.

    how can i change the service binding to other certificate.

  5. Hi Paul,

    When i run test-outlookwebservices it get error message when connecting to mail.mycompany.com/ews/exchange..asmx (outside address) received error a state connection failed because the connected party did not respond on time then it shows my external ip address:443 please advise i am using wild card and my firewall has https and http open for cas

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.