Create certificates for UM in Exchange Server

Applies to: Exchange Server 2013, Exchange Server 2016

You can use the New Exchange Certificate wizard in the EAC or the Shell to create self-signed certificates or certificate requests for an internal public key infrastructure (PKI) certificate. For Unified Messaging (UM), you can use one of these certificates for both the Microsoft Exchange Unified Messaging service and the Microsoft Exchange Unified Messaging Call Router services. You can use the same certificate for both services, or a different certificate for each service. You can also purchase and import a third-party commercial certificate for UM services. If you're using a self-signed certificate for UM, you may need to include the name of your Client Access and Mailbox servers in the subject alternative name (SAN).

By default, when you install Exchange Server 2013, two self-signed certificates are created: Microsoft Exchange Server Auth Certificate and Microsoft Exchange. The Microsoft Exchange self-signed certificate can be used by UM to encrypt data, but you must assign the certificate to the UM and UM Call Router services. After you assign the certificate to the Unified Messaging services, it can be copied to and imported to the VoIP gateways, IP PBXs, and SIP-enabled PBXs. However, instead of using the default self-signed certificates, you may need to create another one specifically for Unified Messaging.

For additional management tasks related to managing certificates for Unified Messaging, see Deploying certificates for UM procedures.

What do you need to know before you begin?

• Estimated time to complete: 5 minutes.

• You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Certificate management" entry in the Exchange and Shell infrastructure permissions topic and the "UM service" entry in the Unified Messaging permissions topic. You must also log on by using an account that's a member of the local Administrators group on that computer.

• For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Use the EAC to create a certificate request for UM

1. In the EAC, navigate to Servers > Certificates, and then click Add .

2. On the New Exchange certificate page, select Create a request for a certificate from a certification authority, and then click Next.

3. Enter a friendly name for the certificate, and then click Next.

4. If you don't need a wildcard certificate, click Next. If you need a wildcard certificate, select Request a wildcard certificate. A wildcard certificate can be used to secure all sub-domains under your root domain with a single certificate, enter the name of the root domain, and then click Next.

5. Under Store certificate request on this server, click Browse to go to the location where you want to store the file. You can store the certificate request on any Client Access or Mailbox server in your Exchange organization. Select the location, click OK, and then click Next.

6. If you requested a wildcard certificate, skip to step 9.

7. If you didn't request a wildcard certificate, you'll need to specify the domains you want to be included in your certificate. If you want to edit a domain, click Edit, and then click Next.

8. Under Based on your selections, the following domains will be included in your certificate. You can add additional domains here, or make changes, you can add, edit, remove, or check the name of domains that are listed under Domain. Then click Next.

9. Under Specify information about your organization. This is required by the certification authority, enter the following:

   • Organization name
   • Department name
   • City/Locality
   • State/Province
   • County/Region name: For this option, use the drop-down list to select the country or region.

10. Under Save the certificate request to the following file, enter the name of the certificate file, and then click Finish.

Use the Shell to create a certificate request for UM

This example creates a new Exchange certificate request for a Mailbox server named MyMailboxServer with a friendly name of CertUM.

New-ExchangeCertificate -FriendlyName 'CertUM' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -DomainName '*.northwindtraders.com' -SubjectName 'C=US,S=wa,L=redmond,O=northwindtraders,OU=servers,CN= northwindtraders.com' -Server 'MyMailboxServer'

Use the EAC to create a self-signed certificate for UM

1. In the EAC, navigate to Servers > Certificates, and then click Add .

2. On the New Exchange certificate page, choose Create a self-signed certificate, and then select Next.

3. Enter a friendly name for the certificate, and then select Next.

4. Click Add to select the Exchange servers that you want to apply this certificate to, and then select Next.

5. Specify the domains that you want to be included in your certificate, and then select Next. If you want to add a domain for a service, click Edit .

6. Verify that the domains you included are correct, and then select Finish.

Use the Shell to create a self-signed certificate for UM

This example creates a new Exchange self-signed certificate for a Mailbox server named MyMailboxServer with a friendly name of UMCert.

New-ExchangeCertificate -Services 'UM, UMCallRouter' -DomainName '*.northwindtraders.com' -FriendlyName 'UMSelfSigned' -SubjectName 'C=US,S=WA,L=Redmond,O=Northwindtraders,OU=Servers,CN= Northwindtraders.com' -PrivateKeyExportable $true