This guide accompanies my information guide on Exchange 2013 and Exchange 2016 SANs, SSL and UCC, if you have not read it then take time to here, then continue with your install here.
In this guide we will create an SSL certificate request in Exchange 2013 or Exchange 2016, you can then go off and purchase the SSL Certificate, we will then install the certificate that we have purchased on-line and apply it to the services that we are going to run such as Outlook Web Access ( OWA ). Note that if you intend to use a mobile device to sync email with exchange 2013 or exchange 2016 hen you must buy an SSL certificate. To start, make sure you are logged in to the Exchange 2013 ECP / EAC.
How To Create a Certificate Request in Exchange 2013 and Exchange 2016
When we create a certificate request what we are doing is creating a request for a certificate that we can provide to the likes of GoDaddy that tells them to create a certificate that trusts the domains names ( or Subject Alternative Names ) that we specify. Below we will create a certificate so that internal users of Outlook can connect to the internal Exchange 2013/2016 server name, use Autodiscover to auto-configure Outlook, we will also add to the certificate request the external domain the we will user for OWA. In this situation we will use the domain https://mail.techieshelp.com ( this does not exist but this is used for example). Before we start you will need the following.
- An A record for the external OWA site pointing to your external IP address such as mail.techieshelp.com pointing to 188.8.131.52 ( obviously point your A record to your external IP)
- An internal A record called “Autodiscover” that points to your Exchange 2013 CAS server or 2016 MBX server.
Then decide on your CA provider, we will use GoDaddy here. With those in place we can log into the ECP / EAC. First select Servers on the main menu.
Then Certificates, on the sub menu click the + sign to create and new certificate. You will see the screen below. As you can see we are going to Create a request for a certificate from a certification authority.
Then simply give the Certificate request a simple recognizable name as below then click next.
The next screen is optional , if you plan on buying a wild card certificate (to cover *.yourdomain.com) tick the box and enter a root domain, I’m not going to use a wildcard but if I was my root domain would be techieshelp.local. When you user a wild card certificate it means the certificate covers any sub domain such as mail.techieshelp.com,test.techieshelp or exchange.techieshelp.com. Once done click next.
On the next screen we simply select the server where we will store the generated certificate request. Select the server we are working on. click OK then next to continue.
The next screen asks you what domains will be connected to with this certificate, I’m only going to use OWA as that’s all I’ve selected, it matters not as we can change the domains we want on the next screen.
The next screen is important you need to make sure you have the following in your certificate request. Servername.local (Example: techieshelp-dc.techieshelp.local) Autodiscover.local (Example: autodiscover.techieshelp.local) ExternalOwa.com (Example: mail.techieshelp.com ) Basically you need to add or select ANY address that you will reference your exchange server as or connect to as. These are known as Subject Alternative Names.
We now enter the company details for the certificate provider.
The next screen simply asks you where you would like to save the request file. This is that file that you will provide to the likes of GoDaddy. Just save it in a local valid share and give a a valid name such as CERT.req
As you can see my certificate request is now created, you now need to select a certificate provider see below for recommendations, submit this request file and they will then provide you with a certificate to answer the certificate request – this may take a few hours or more.
What SSL Provider Should I Use?
I recommend GoDaddy or SSL2BUY as far as price goes they are as competitive as it gets and I have purchased unified SSL certificates for clients numerous times, they auto renew the certs yearly so you will not get issues with certificates expiring as you receive notification. When you purchase bare in mind that you can normally purchase for 1,3 or 5 years, the longer you purchase for the cheaper they are and less admin work each year. Certificates can be used on all previous Exchange Servers also. Now we go to GoDaddy and select UCC certificate, then enter your SAN`s (any address you will attach to the server as seen earlier in this article) and the CA provider will generate your certificate for you to download. Once downloaded we can answer the certificate request. As seen below.
How Do I Answer The Exchange 2013 / 2016 Certificate Request?
If you refresh the EMC ( use the circle arrow ) you will now see the pending request waiting to be answered by your new certificate. To answer it you need to hit the complete button on the far right hand side.
The certificate will now import, we now need to decide what services the certificate will apply to. You will need to select SMTP and IIS if you are using OWA, I’m using the defaults here which is SMTP, IMAP, POP and IIS.
Exchange 2013 and Exchange 2016 is setup to use the certificate you have applied and will use it when Outlook clients connect over SMTP and when connected over OWA using IIS. The process is now complete.