Exchange 2013 / 2016 Configuring and Installing an SSL Certificate
This guide accompanies my information guide on Exchange 2013 and Exchange 2016 SANs, SSL and UCC, if you have not read it then take time to here, then continue with your install here.
In this guide we will create an SSL certificate request in Exchange 2013 or Exchange 2016, you can then go off and purchase the SSL Certificate, we will then install the certificate that we have purchased on-line and apply it to the services that we are going to run such as Outlook Web Access ( OWA ). Note that if you intend to use a mobile device to sync email with exchange 2013 or exchange 2016 hen you must buy an SSL certificate. To start, make sure you are logged in to the Exchange 2013 ECP / EAC.
How To Create a Certificate Request in Exchange 2013 and Exchange 2016
When we create a certificate request what we are doing is creating a request for a certificate that we can provide to the likes of GoDaddy that tells them to create a certificate that trusts the domains names ( or Subject Alternative Names ) that we specify. Below we will create a certificate so that internal users of Outlook can connect to the internal Exchange 2013/2016 server name, use Autodiscover to auto-configure Outlook, we will also add to the certificate request the external domain the we will user for OWA. In this situation we will use the domain https://mail.techieshelp.com ( this does not exist but this is used for example). Before we start you will need the following.
- An A record for the external OWA site pointing to your external IP address such as mail.techieshelp.com pointing to 83.119.37.26 ( obviously point your A record to your external IP)
- An internal A record called “Autodiscover” that points to your Exchange 2013 CAS server or 2016 MBX server.
Then decide on your CA provider, we will use GoDaddy here. With those in place we can log into the ECP / EAC. First select Servers on the main menu.
Then Certificates, on the sub menu click the + sign to create and new certificate. You will see the screen below. As you can see we are going to Create a request for a certificate from a certification authority. 
Then simply give the Certificate request a simple recognizable name as below then click next.
The next screen is optional , if you plan on buying a wild card certificate (to cover *.yourdomain.com) tick the box and enter a root domain, I’m not going to use a wildcard but if I was my root domain would be techieshelp.local. When you user a wild card certificate it means the certificate covers any sub domain such as mail.techieshelp.com,test.techieshelp or exchange.techieshelp.com. Once done click next.
On the next screen we simply select the server where we will store the generated certificate request. Select the server we are working on. click OK then next to continue.
The next screen asks you what domains will be connected to with this certificate, I’m only going to use OWA as that’s all I’ve selected, it matters not as we can change the domains we want on the next screen.
The next screen is important you need to make sure you have the following in your certificate request. Servername.local (Example: techieshelp-dc.techieshelp.local) Autodiscover.local (Example: autodiscover.techieshelp.local) ExternalOwa.com (Example: mail.techieshelp.com ) Basically you need to add or select ANY address that you will reference your exchange server as or connect to as. These are known as Subject Alternative Names.
We now enter the company details for the certificate provider.
The next screen simply asks you where you would like to save the request file. This is that file that you will provide to the likes of GoDaddy. Just save it in a local valid share and give a a valid name such as CERT.req
As you can see my certificate request is now created, you now need to select a certificate provider see below for recommendations, submit this request file and they will then provide you with a certificate to answer the certificate request – this may take a few hours or more.
What SSL Provider Should I Use?
I recommend GoDaddy or SSL2BUY as far as price goes they are as competitive as it gets and I have purchased unified SSL certificates for clients numerous times, they auto renew the certs yearly so you will not get issues with certificates expiring as you receive notification. When you purchase bare in mind that you can normally purchase for 1,3 or 5 years, the longer you purchase for the cheaper they are and less admin work each year. Certificates can be used on all previous Exchange Servers also. Now we go to GoDaddy
and select UCC certificate, then enter your SAN`s (any address you will attach to the server as seen earlier in this article) and the CA provider will generate your certificate for you to download. Once downloaded we can answer the certificate request. As seen below.
How Do I Answer The Exchange 2013 / 2016 Certificate Request?
If you refresh the EMC ( use the circle arrow ) you will now see the pending request waiting to be answered by your new certificate. To answer it you need to hit the complete button on the far right hand side.
Once clicked simply enter the path to the certificate you will have received from your certificate provider. 
The certificate will now import, we now need to decide what services the certificate will apply to. You will need to select SMTP and IIS if you are using OWA, I’m using the defaults here which is SMTP, IMAP, POP and IIS.
Exchange 2013 and Exchange 2016 is setup to use the certificate you have applied and will use it when Outlook clients connect over SMTP and when connected over OWA using IIS. The process is now complete.
Loading ...
Ajay
| #
hi,
excellent write up. is there a way to create the certificate without paying for it? for testing purposes.
im having problems with internal outlook users connecting to exchange 2013.
any help would be much appricated.
Ajay Paul
Reply
Allen White
| #
Hi Ajay,
Yes there is you can create a self certified cert, search the site , I believe I wrote it up for exchange 2007 and the process is the same. I beleive the article is renew and expired exchange 2007 certificate. I woul recommend you purchase an SSL or activesync will not work, it requires a CA cert
Reply
Ajay
| #
Hi Allen,
Many thanks for the quick reply, just one more quick question:
In an Exchange 2013 on windows 2012 environment do i need a CA cert for internal outlook clients to connect to exhange 2013?
Ive set up a test environment and i cant get my internal outlook clients to connect to exchange :(, i keep receiving the following error message:
Cannot open your default e-mail folders. You must connect to Microsoft Exchange with the current profile before you can synchronize your folders with your Outlook data file (.ost)
Thanks in advance
Ajay Paul
Reply
Allen White
| #
Hi, that is not a cert issue, that is comms, can the clients ping the Exchange 2013 server over DNS? have you setup an Autodiscover record?
thanks
Allen
Reply
Ajay Paul
| #
Hi,
Yes i have created a A record for autodiscover. I am also able to ping the exchange server over DNS.
I am able to connect and send emails via OWA without any issues, i just cant log in via outlook 2010,2007 or 2003 🙁
ive been working on this all week and its becoming extreally frustrating. Not sure what else to try.
Allen White
| #
What happens when you are in a client and connect to exchange and run the “check name” , does it underline the user name?
Remember, to diagnose out look when you hold down CTRL and right click the outlook icon in the bottom right hand corner you can get diagnostics
Ajay
| #
yes the name and server are being underlined.
there isnt an oulook icon in the notification area as outlook isnt opening, its just stuck on that error message, when i click on ok it shuts down outlook all together.
ive looked in the event veiwer and theres nothing.
Reply
Ajay
| #
Whaaa Hoooo, got it to work 🙂
it was indeed a DNS issue, the reverse pointer was not configured correctly.
Can you please confirm that i dont need a CA cert for internal outlook clients.
Many thanks for your time and effort Allen. Much appriciated.
Reply
Allen White
| #
Well done, thought it was DNS ;). You need either a self signed cert or a CA cert, the self signed will be fine AS-LONG as you do not want to use iPhones or Windows phones (active sync), you will also get errors when attaching to OWA ( click to continue to untrusted site errors ). If your are happy with that you will be fine. If its at a clients I would advise for the £100 to invest in one.
thanks
Allen
Reply
Jacob
| #
Hi,
I’m trying to complete pending request but I get the error of “The imported certificate file for server SERVER failed to access for the following reason: Could not find file ‘\\server\certs\impellingitssl.cer'”
The share it’s in has full access for admins and I can definitely see it there
Reply
Allen White
| #
Hi, what happens when you copy the file locally?
Reply
cuocdoi
| #
Hi Allen,
I’ve an Exchange 2013 (ex13.local.com) (Win2k8R2) is used for Intranet network and want to use OWA for internal/non-domain user. So, do I need to edit the domain for “Outlook Web APP (from internet)” and choose it ?
Thanks,
cuocdoi
Reply
Allen White
| #
Hi, im not 100% sure what you mean, pop a question with as much detail as you can into the Q&A section at the top of the page and ill do my best 🙂
Reply
Joel
| #
Great article. I’ve setup 2- 2013 exchange server with both roles installed. Does the cert portion need to be done on both server?
In production i have a 2007 server setup.
Reply
Allen White
| #
Hi Joel, the cert is org wide and only needs to be on your CAS server (s) the servers that your users authenticate to or hit from the outside world. In your case if both servers have the same roles (CAS) then just make sure the cert has both internal server names in it, the external mail name and Autodiscover. Basically a cert needs references to any server alias you will connect to it on.
Reply
Michael
| #
What if I don’t own the naming rights to my internal domain? In that case I won’t be able to put the server.domain.local on the certificate as godaddy and others will refuse to do so.
They simply can’t verify.
What gives?
Reply
Allen White
| #
Hi, yep they have made that tricky however try this..
http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/
Nice email add also .
Reply
Michael Gron
| #
Hi Allen. Great article. I have succeeded on both exchange 2007 and 2010 to install and use a wildcard certificate. There is a tickbox for wildcard certificate so it must be possible to use it even though it is not best practice. I Can´t find any articles on this – do you have any ideas on how to get this to work? The situation is that we HAVE bought a wildcard certificate – and we are not able to get it changed.
Thanks.
Michael Gron
Reply
RicK
| #
@ Michael Gron,
Hi Michael, did you get a resolution for your issue, we are facing the same problem and have not found a solution yet. I would appreciate any advice from your experience.
Rick
Reply
Martin Hamukwaya
| #
Hi Allen,
I find your website very interesting and this post has significance to an error i encountered with my Exchange environment.
I have 2 CAS servers and 2 Mailbox servers that was implemented from scratch.
All outlook clients could connect and suddenly on 02/05/2014 my clients keeps prompting for username and password.
When i delete and recreate the profile it says: “The connection to Microsoft is currently unavailable. Outlook must be online or connected to complete this action”
All connections through OWA works fine.
Reply
TaN
| #
Hi,
I was searching the internet for a solution regarding to this problem.
I’m doing some tests before i install the exchange 2016.
I installed an SSL certificate (didn’t remove the default self signed one), assigned imap,pop,iis,smtp roles to this certificate and after that i was trying to login to /ecp but it was keep redirecting me to the login page. Even /owa wasn’t working.
I had to restart IIS service to solve the problem.
Reply