Obtain a Server Certificate from a Certification Authority

Applies to: Exchange Server 2010

Topic Last Modified: 2011-03-19

You can obtain a server certificate from a certification authority (CA). Obtaining a server certificate from a certification authority is one step in configuring Secure Sockets Layer (SSL) or Transport Layer Security (TLS). You can obtain server certificates from a third-party CA. A third-party CA may require you to provide proof of identity before a certificate is issued. You can also issue your own server certificates by using an online CA, such as Microsoft Certificate Services.

For more information about server certificates, see the Windows Server 2003 Internet Information Services (IIS) documentation.

Microsoft Exchange Server 2010 includes a default self-signed SSL certificate. You can replace this certificate with a third-party certificate from a CA. To do this, you must first delete the self-signed certificate. For more information about how to replace the self-signed certificate, see Install an SSL Certificate on a Client Access Server.

Looking for other management tasks related to SSL? Check out Managing SSL for a Client Access Server.

As a security best practice, log on to your computer using an account that isn't in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.

The code example below outputs the certificate request in Base64 format to the command-line console. You must send the certificate request to a CA within the organization, a trusted CA outside the organization, or a commercial CA. You can do this by pasting the certificate request output into an e-mail message or into the appropriate field on the certificate request Web page of the CA. You can also save the certificate request to a file using a text editor such as Notepad.

The certificate that results has the following attributes associated with it:

  • Subject name: c=<ES>,o=<Woodgrove Bank>,cn=mail1.woodgrovebank.com
  • Subject alternate names: woodgrovebank.com and example.com
  • An exportable private key
New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=Woodgrove Bank, cn=mail1.woodgrovebank.com" -DomainName woodgrovebank.com, example.com -PrivateKeyExportable

Use the procedures specified by your chosen CA to send the certificate request to the CA.