Create A Self Signed SSL Cert For Exchange Guide

Written by Allen White on. Posted in Exchange 2007, Exchange 2010, Server 2003, Server 2008

If you are stuck with the only option of running exchange from a locally installed CA rather than a purchased SSL cert, you will need to generate the certificate through the web console using the following steps. I do recommend you use a UCC cert from GoDaddy however if you cannot then read on!

  • Browse to your Certificate services web console, via https://server.local/certsrv
  • Select a new request, and choose the advanced option on the next screen.
  • Submit a certificate request by using a base 64 encoded CMC or PKS #10 file.
  • Open the certificate request that you generated from my previous blog post. This just needs to be opened in your favourite text editor.
  • Copy the contents of the file and paste it into the request field on the web console. Select the server type as a web server, and leave all other attributes blank.
  • Save the resulting certificate to an accessible location, and close the web console.

To import the certificate into Exchange this must be done through the EMS. You need to use the Import-Exchange-Certificate-Path command, as shown below.

 c:\windows\system32>Import-Exchange-Certificate-Path c:\temp\cert_answer.cer | Enable Exchangecertificate-Services “SMTP, IMAP, POP, IIS”

You should now check and make sure that the new certificate is in use. The easiest way to do this is by using the test-outlookwebservices command as below.

 c:\windows\system32>test-outlookwebservices | FL

You should now see the details of the certificate. Easiest things to spot that it is the new certificate include the validity dates, or any SAN’s you may have included.

Now that you have ascertained that the certificate is installed, browse to the OWA service and view the certificate that is presented to ensure that it is in fact the new and current one.

Allen White
Allen is a Consultant for ITPS in the North East of England and holds the following accreditations. MCSA, MCSE, MCTS, MCITP, CCA, CCSP, VCP 4,5 and HP ASE, AIS - Network Infrastructure.

ITPS provides strategic IT consultancy, implementation, data centre provision and unified communications, as well as support services and workspace and disaster recovery. If you require a consultation then please contact me via the contacts section or direct on 07931222991, add me on linkedin.

Related Problems

Step By Step Guide To Setting Up Outlook Anywhere In Exchange 2007
An easy to follow guide on how to setup outlook anywhere in exchange 2007, this guide will also work for exchange 2010. Also how to setup outlook clients to connect ...
How To Remove An Expired Exchange 2007/ 2010 Certificate and Create A New Certificate
How to renew your expired exchange 2007 certificate.A guide on How To Remove An Expired Exchange 2007 Certificate and Create A New Certificate. This needs to be done every so ...
Cannot Install .Net Framework 3.5.1 On Server 2008 – 0x80070643
When installing the .net framework 3.5.1 feature on server 2008 it fals with the error 0x80070643, this can be fixed with this solution
Step By Step Guide To Setup KMS Server
A guide on how to setup and configure microsoft KMS server. Step by step KMS server setup.Microsft KMS Server Guide
Step By Step Guide On Installing Trend Scanmail On Exchange 2010
Step By Step Guide on Installing and Configuring Trend Micro Scanmail On Microsoft Exchange 2010.This is a simple process.
Remote Desktop Services – cannot create local profile
Windows cannot find the local profile and is logging you on with a temporary profile you may see the error Event ID 1511 in event ID. Solution here.
Export-Mailbox and Import-Mailbox commands missing
When you try to use the powerhsell imoprt mailbox command its says the command is invalid. The same with export mailbox. Here is how to enable the import and export ...
Step By Step Guide To Setting Up Outlook
How To Remove An Expired Exchange 2007/ 2010
Exchange 2007 and Exchange 2010, Create New Mail
Cannot Install .Net Framework 3.5.1 On Server 2008
Step By Step Guide To Setup KMS Server
Step By Step Guide On Installing Trend Scanmail
Remote Desktop Services – cannot create local profile
Export-Mailbox and Import-Mailbox commands missing

Comments (2)

  • Lee


    I am in search of some help with implementing Outlook Anywhere for a new client.

    They currently access mail remotely via OWA. We have one backend (Hub T) server and one frontend (CAS) server.
    I have enabled Outlook Anywhere on Exchange and will be purchasing a UC certificate in the morning, however, I have a couple of questions I need clarifying as this is the first time I have implemented this service.

    When applying for the SSL UCC will I be asked to enter all of the different company domains hosted by the client when applying for the cert?
    What host records need to be in place on the internal DNS server (DC)?
    What external DNS configure needs to be in place?
    And any further tips welcome.

    Kind Regards


    • Allen White


      Hi Lee,

      Whem you access OWA and you are using an SSL you acces the server through its outside OWA address or internal OWA address or if using a client like outlook then you use its internal domain name. So lets say external its…


      internal its https://myexchangeserver/owa

      and for toutlook its

      my exchangserver.

      In your situation you have your external a record that points to the CAS server, the internal cas servers name and the internal hub servers name. Ontop of this you need to register autodiscover.yourinternaldomain.local as this is used by the clients to configure outlook. So in total that is 5 SANS.

      These are called SAN`s or subject alternative names( basically any way your exchange servers are referenced. ). When you create your certificate request then you need to specify your internal, external and server hostname. Digicert have a tool that creates your certificate request. Even if you do not use them to buy the cert then I would still use it.

      Exchange 2010 also has the inbuilt one you can use.
      So, you need an external a record that points to your firewall (https://mail.companyname/). that routes to exchange. The internal DNS will be fine if the servers are built and you need to create an internal autodiscover record. Then simply create the SSL.

      Anymore questions then ask away 🙂



What Do You Think?

Search Solutions


(c) Please be aware, all information is provided freely, any information used is done so at your risk and Techieshelp will not be held responsible for any issue that may occur.