Create a New Exchange Certificate


Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-03-19

After you have installed the Client Access server role, you'll need to create a Secure Sockets Layer (SSL) certificate for the various services in your organization.

The Client Access server role has been installed.

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.

  1. In the console tree, click Server Configuration.

  2. In the action pane, click New Exchange Certificate to open the New Exchange Certificate wizard. This wizard helps you determine what type of certificates you need for your Exchange organization.

  3. On the Introduction page, enter a friendly name for your certificate.

  4. On the Domain Scope page, select the Enable wildcard certificate check box, and then enter a root domain if you want to apply the certificate to all subdomains automatically by creating a wildcard certificate.

  5. If you didn't choose to create a wildcard certificate, use the Exchange Configuration page to select the services and protocols that your certificate will need to support. Choose from the following options:

    • Federated Sharing If you will be using this certificate for Federated Sharing, select the Use this certificate for Federated Sharing check box.

    • Client Access server (Outlook Web App) If you'll be using this certificate for Outlook Web App, select the appropriate boxes for Outlook Web App on the Intranet or on the Internet and enter the domain name you use to access Outlook Web App.

    • Client Access server (Exchange ActiveSync) If you'll be using this certificate for Exchange ActiveSync, select the Exchange ActiveSync is enabled check box and enter the domain name you use to access Exchange ActiveSync.

    • Client Access server (Exchange Web Services, Outlook Anywhere, and Autodiscover) If you'll be using this certificate for Exchange Web Services, Outlook Anywhere, or the Autodiscover service, select the applicable check boxes and enter the external host name for your organization. For the Autodiscover service, choose whether you will be using the Long URL format, the Short URL format, or a custom format. In the Autodiscover URL to use box, enter the full URL to the Autodiscover service.

    • Client Access server (POP/IMAP) Select the check boxes to specify whether your users will be using POP and IMAP on the Intranet and the Internet. Enter the domain names to use for both POP and IMAP.

    • Unified Messaging Server If you'll be using Unified Messaging, choose whether you'll use a self-signed certificate or a public certificate. You must use a public certificate if you are using Unified Messaging with Office Communications Server. For either option, enter the fully qualified domain name (FQDN) of your Unified Messaging server.

    • Hub Transport Server Enter the FQDN of your Hub Transport server if you'll be using mutual TLS to help secure Internet mail or if you'll be using a Hub Transport server for POP and IMAP client submission.

    • Legacy Exchange Server Select Use legacy domains and enter the legacy domain name if you're upgrading from a previous version of Exchange Server and will be operating in a coexistence scenario for a period of time during the upgrade.

  6. Review the list of domains that will be added to the certificate on the Certificate Domains page. You can click Add to add another domain or click one of the domains listed and then click Edit if you need to make changes. Use the Set as common name option to choose one of the domains to be the common name of the certificate.

  7. On the Organization and Location page, enter information about your Exchange organization. You'll need to enter the name of your Organization, the Organization unit, and location information including the Country/region, City/locality, and State/province. Under the Certificate Request File Path section, click Browse to select a location for the certificate request file, and then enter the file name you want to use.

  8. On the Certificate Completion page, verify that all the information you've entered is correct. If it is, click New.

  9. On the Completion page, follow the steps listed to complete your request. This page also contains the cmdlet syntax necessary to create a new certificate.

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.

The code example below outputs the certificate request in Base64 format to the command-line console. You must send the certificate request to a certification authority (CA) within the organization, a trusted CA outside the organization, or a commercial CA. You can do this by pasting the certificate request output into an e-mail message or into the appropriate field on the certificate request Web page of the CA. You can also save the certificate request to a file using a text editor such as Notepad.

The certificate that results has the following attributes associated with it:

  • Subject name: c=<ES>,o=<Woodgrove Bank>,

  • Subject alternate names: and

  • An exportable private key

New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=Woodgrove Bank," -DomainName, -PrivateKeyExportable $true
 © 2010 Microsoft Corporation. All rights reserved.