Export (0) Print
Expand All

Plan for third-party SSL certificates for Office 365

 

Applies to: Office 365 Enterprise

Topic Last Modified: 2013-08-23

Summary: Describes the SSL certificates needed for Exchange on-premises and hybrid, SSO using AD FS, Exchange Online services, and Exchange Web Services.

To encrypt communications between your clients and the Office 365 environment, third-party Secure Socket Layer (SSL) certificates must be installed on your infrastructure servers.

Certificates are required for the following Office 365 components:

  • Exchange on-premises

  • Single sign-on (SSO) (for both the Active Directory Federation Services (AD FS) federation servers and AD FS federation server proxies)

  • Exchange Online services, such as Autodiscover, Outlook Anywhere, and Exchange Web Services

  • Exchange hybrid server

For an overview about how to use digital certificates to make the communication between the on-premises Exchange organization and Exchange Online secure, see the TechNet article Understanding Certificate Requirements.

To provide your users with a simplified single sign-on experience that includes robust security, the certificates shown in the following table are required on either the federation servers or the federation server proxies.

 

Certificate Type

Description

What you need to know before you deploy

SSL certificate (also called a server authentication certificate)

This is a standard SSL certificate that is used to make communications between federation servers, clients, and federation server proxy computers secure.

Active Directory Federation Services (AD FS) 2.0 requires an SSL certificate. By default, AD FS 2.0 uses the SSL certificate that is configured for the default website in Internet Information Services (IIS).

The subject name of this SSL certificate is used to determine the Federation Service (FS) name for each instance of AD FS 2.0 that you deploy. Consider choosing a subject name for any new certification authority (CA)-issued certificates that best represents the name of your company or organization to Office 365. This name must be Internet-routable.

WarningWarning:
AD FS 2.0 requires that this SSL certificate have no dotless (short-name) subject name.

Recommendation: Because this certificate must be trusted by clients of AD FS 2.0, we recommend that you use an SSL certificate issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign or Thawte.

Token-signing certificate

This is a standard X.509 certificate that’s used for securely signing all tokens that the federation server issues and that Office 365 accepts and validates.

The token-signing certificate must contain a private key that chains to a trusted root in the FS. By default, AD FS 2.0 creates a self-signed certificate. However, depending on the needs of your organization, you can change this certificate to a CA-issued certificate by using the AD FS 2.0 management snap-in.

CautionCaution:
The token-signing certificate is critical to the stability of the FS. If the certificate is changed, Office 365 must be notified of the change. If notification is not provided, users can’t sign in to their Office 365 service offerings.

Recommendation: We recommend that you use the self-signed token-signing certificate that is generated by AD FS 2.0. By doing so, it manages this certificate for you by default. For example, when this certificate is about to expire, AD FS 2.0 will generate a new self-signed certificate.

Federation server proxies require the certificate that is described in the following table.

 

Certificate Type

Description

What you need to know before you deploy

SSL certificate

This is a standard SSL certificate that is used for securing communications between a federation server, a federation server proxy, and Internet client computers.

This SSL certificate must be bound to the default website in IIS before you can successfully run the AD FS 2.0 Federation Server Proxy Configuration wizard.

This certificate must have the same subject name as the SSL certificate that was configured on the federation server in the corporate network.

Recommendation: We recommend that you use the same server authentication certificate that is configured on the federation server that this federation server proxy connects to.

For more information, see Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on.

Your external-facing Exchange 2013, Exchange 2010, Exchange 2007, and Exchange 2003 Client Access servers (CASs) require a third-party SSL certificate for secure connections for Autodiscover, Outlook Anywhere, and Active Directory synchronization services. You may already have this certificate installed in your on-premises environment.

Your external-facing Exchange hybrid server or servers require a third-party SSL certificate for secure connectivity with the Exchange Online service. You need to get this certificate from your third-party SSL provider.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft