Configure Exchange 2016 certificates

  • Article

 

Estimated time to complete: 10 to 15 minutes (not including response time from the certificate authority)

Some services, such as Outlook Anywhere and Exchange ActiveSync, require certificates to be configured on your Exchange 2016 server. You can choose whether you want to re-use the SSL certificate installed on a pre-exiting Exchange server or purchase a new SSL certificate from a third-party certificate authority (CA). If you decide to re-use a certificate, the host names you've configured on the Exchange 2016 virtual directories must match the host names configured on the SSL certificate.

How do I get and install a third-party SSL certificate?

  1. Open the EAC by browsing to the URL of your Mailbox server. For example, https://Ex2016/ECP.

  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.

  3. Go to Servers > Certificates. On the Certificates page, make sure your Mailbox server is selected in the Select server field, and then click New Add Icon.

  4. In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority, and then click Next.

  5. Specify a name for this certificate, and then click Next.

  6. If you want to request a wildcard certificate, select Request a wild-card certificate, and then specify the root domain of all subdomains in the Root domain field. If you don't want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.

  7. Click Browse, and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Mailbox server. Click Next.

  8. For each service in the following list, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:

    • If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the Intranet) should show owa.contoso.com. OAB (when accessed from the Internet) and OAB (when accessed from the Intranet) should show mail.contoso.com.

    • If you configured the internal URLs to be internal.contoso.com, Outlook Web App (when accessed from the Internet) should show owa.contoso.com and Outlook Web App (when accessed from the Intranet) should show internal.contoso.com.

    These domains will be used to create the SSL certificate request. Click Next.

  9. Add any additional domains you want included on the SSL certificate.

  10. Select the domain that you want to be the common name (for example, contoso.com) for the certificate and click Set as common name. Click Next.

  11. Provide information about your organization. This information will be included with the SSL certificate. Click Next.

  12. Specify the network location where you want this certificate request to be saved. Click Finish.

After you've saved the certificate request, submit the request to your CA. This can be an internal CA or a third-party CA, depending on your organization. Clients that connect to the Mailbox server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:

  1. On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.

  2. In the certificate request details pane, under Status, click Complete.

  3. On the Complete pending request page, specify the path to the SSL certificate file, and then click OK.

  4. Select the new certificate you just added, and then click Edit Edit icon.

  5. On the certificate page, click Services.

  6. Select the services you want to assign to this certificate. At minimum, you should select IIS, but you can also select IMAP, POP, and UM call router if you use these services. If you want to use secure transport, you can also select SMTP to make this certificate available to Exchange 2016 transport. Click Save.

  7. If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.

How do I re-use a pre-exiting Exchange SSL certificate?

First, you need to export your certificate from your pre-exiting Exchange server with the certificate's private key using the following steps:

  1. Log on directly to a pre-exiting Exchange Client Access server with an administrator user account.

  2. Open an empty Microsoft Management Console (MMC).

  3. Click File, then Add/Remove Snap-in.

  4. In the Add or Remove Snap-ins window, select Certificates, and then click Add >.

  5. In the Certificates snap-in window that appears, select Computer account, and then click Next.

  6. Select Local computer and click Finish. Then click OK.

  7. Under Console Root, expand Certificates (Local Computer), Personal, and then Certificates.

  8. Select the third-party certificate that's used by Exchange that matches the host names you've configured on the Exchange 2016 server. This must be a third-party certificate and not a self-signed certificate.

  9. Right-click the certificate, select All Tasks, and then click Export.

  10. In the Certificate Export Wizard, click Next.

  11. Select Yes, export the private key, and then click Next.

    Important

    You must be able to export the certificate from your Exchange server with the certificate's private key. If you don't have access to the certificate's private key, you won't be able to use the certificate on the Exchange 2016 server. You'll need to use the steps in "How do I get and install a third-party SSL certificate?" to get a certificate for the Exchange 2016 server.

  12. Make sure Personal Information Exchange - PKCS #12 (.PFX) and Include all certificates in the certification path if possible are selected. Make sure no other options are selected. Click Next.

  13. Select Password and enter a password to help secure your certificate. Click Next.

  14. Specify a file name for the new certificate. Use the file extension .pfx. Click Next and then click Finish.

  15. You'll receive a confirmation prompt if the certificate export was successful. Click OK to close it.

  16. Copy the .pfx file you created to your Internet-facing Exchange 2016 Mailbox server.

After you've exported the certificate from your pre-exiting Exchange server, you need to import the certificate on your Exchange 2016 server using the following steps:

  1. Log on to your Internet-facing Exchange 2016 Mailbox server with an administrator user account.

  2. Open an empty MMC.

  3. Click File, then Add/Remove Snap-in.

  4. In the Add or Remove Snap-ins window, select Certificates, and then click Add >.

  5. In the Certificates snap-in window that appears, select Computer account, and then click Next.

  6. Select Local computer and click Finish. Then click OK.

  7. Under Console Root, expand Certificates (Local Computer), and then Personal.

  8. Right-click Personal, select All Tasks, and then click Import.

  9. In the Certificate Import Wizard, click Next.

  10. Click Browse, and select the .pfx file you copied to your Exchange 2016 Mailbox server. Click Open and then click Next.

    Note

    You may need to change the File name filter in the Open window to All Files (*.*) to see the .pfx file.

  11. In the Password field, enter the password you used to help secure the certificate when you exported it on the pre-exiting Exchange server.

  12. Verify that Include all extended properties is selected, and then click Next.

  13. Verify that Place all certificates in the following store is selected and Personal is shown in Certificate store. Click Next and then Finish.

  14. You'll receive a confirmation prompt if the certificate import was successful. Click OK to close it.

Now that the new certificate has been imported on your Exchange 2016 Mailbox server, you need to assign it to your Exchange services using the following steps:

  1. Open the EAC by browsing to the URL of your Exchange 2016 Mailbox server. For example, https://Ex2016/ECP.

  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.

  3. On the Server > Certificates page in the EAC, select the new certificate you just added, and then click Edit Edit icon.

  4. On the certificate page, click Services.

  5. Select the services you want to assign to this certificate. At minimum, you should select IIS, but you can also select IMAP, POP, and UM call router if you use these services. If you want to use secure transport, you can also select SMTP to make this certificate available to Exchange 2016 transport. Click Save.

  6. If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.

How do I know this worked?

To verify that you successfully added a new certificate, do the following:

  1. In the EAC, go to Servers > Certificates.

  2. Select the new certificate and then, in the certificate details pane, verify that the following are true:

    • Status shows Valid.

    • Assigned to services shows, at minimum, IIS and optionally IMAP, POP, UM call router, and SMTP.

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server, Exchange Online, or Exchange Online Protection.