Configure an SSL Certificate for Exchange Server 2010

Exchange Server 2010 like its predecessor Exchange Server 2007 makes heavy use of SSL certificates for various communications protocols. When you install a new Exchange server is comes pre-configured with a self-signed certificate. Before putting a new server into production you should create and assign a new SSL cert for the server.
In this example an SSL cert is being configured for the contoso.local organzation.

Generate a New Exchange Server 2010 Certificate

In the Exchange Management Console navigate to Server Configuration. Right-click the server and choose New Exchange Certificate.

Enter a friendly name for the new cert. In this example I have named it “Contoso Exchange Server”.

Although wildcard certificates are supported in Exchange Server 2010 it is recommended to use a SAN (Subject Alternative Name) cert instead.

Next we can configure the names for each of the Exchange 2010 services that are secured with the SSL certificate.

First is the Outlook Web App service. Enter the internal and external names of Outlook Web App. In this example I am using “ex2010.contoso.local” for internal, and “mail.contoso.local” for external.

Next configure the ActiveSync domain name. For ease of administration and configuration I am using the same name as for Outlook Web App.

Next are the Web Services, Outlook Anywhere ( and Autodiscover names. Once again I am using the same name of “mail.contoso.local”. For Autodiscover the additional names of “autodiscover.contoso.local” and “autodiscover.xyzimports.local” are also configured, for each of the accepted email domains in this example organization.

The Hub Transport server also requires SSL for secure SMTP communications. In this example I am using the name “mail.contoso.local”.

A legacy name for co-existence is required if you are planning to gradually transition services and data from Exchange 2003 to Exchange 2010. Configure legacy names for each of the namespaces in the organization, in this example “legacy.contoso.local” and “legacy.xyzimports.local”.

When all of the services have been configured proceed to the next step of the New Exchange Certificate wizard.

Confirm that all of the required names have been included in the cert request. You can add any additional names at this stage before proceeding.

Next configure the organization and location information for the certificate, and choose a location to generate the request file.

When you have finished filling out the wizard click the New button to generate the cert request file.

Confirm that the request file was successfully generated.

You will notice that the wizard makes a recommendation as to the type of certificate that is required for your Exchange organization. In most cases a “Unified Communications certificate” will be necessary, which is basically another name for a SAN certificate.

Although you can issue the certificate from a private Certificate Authority it is recommended to use acommercial Certificate Authority such as Digicert.

After you have acquired the new certificate return to the Exchange Management Console, navigate to Server Configuration, right-click the server and choose Complete Pending Request.

Browse to the location of the file you downloaded from the CA and complete the wizard. Confirm that the new SSL certificate was imported successfully.

The new certificate now appears in the list of valid certificates for the server.

Assign the New Certificate to Exchange Server 2010

With the valid SSL certificate installed it is now time to assign it to the Exchange Server 2010 services. Right-click the new certificate and choose “Assign Services to Certificate”.

Choose the new Exchange server and click the Next button.

Choose the services to assign to the certificate. In this example the IIS and SMTP services are being assigned.

Complete the wizard to assign the services to the new SSL certificate. You will be prompted to overwrite the existing self-signed certificate, so choose Yes to that prompt.

How to install SSL123 Certificate with its Intermidiate CA for Microsoft IIS 5, IIS 6 or IIS 7

Step – 1

For Windows Server 2003

  • Once you received the the SSL123 Certificate from the certificate authority, complete the pending certificate request as mention below but before that copy and paste the certificate received from the certificate authority into the enrollment form, open the file in a text editor that does not add extra characters (Notepad recommended) & save as “filename.cer”.
  • Open the Internet Services Manager  Start > Programs > Administrative Tools
  • Right-click on the Web site from which you had created the Key/CSR pair for.
  • Select Properties.
  • Click the Directory Security tab.
  • Under the Secure Communications section, click Server Certificate
  • This will start the Web Site Certificate Wizard.  Click Next.
  • From the Web Site Certificate Wizard, select pending certificate request. Click Next.
  • The wizard will now ask you the CSR file. Click Browse and select a location where you have save the CSR file (received from the certificate authority) click Next & then Finish.
  • IIS will then ask to confirm the port on which secure communications to the list will listen on. Leave this as port 443, and click finish.

For Windows Server 2008

  • Once you received the the SSL123 Certificate from the certificate authority, complete the pending certificate request as mention below but before that copy and paste the certificate received from the certificate authority into the enrollment form, open the file in a text editor that does not add extra characters (Notepad recommended) & save as “filename.cer”.
  • In IIS 7, click on the server name (svxxx(svxxxDataCAdmin)), then open “Server Certificates” and select the certificate you wish to complete.
  • On the taskbar to the right, click “Complete Certificate Request”
  • Select the certificate from the directory where the .cer file resides.
  • Make the friendly name “domain date” (example; 11-12).  Click “ok”
  • After installing the .cer file you will need to assign it to the site.
  • To assign the certificate to the site you will need to right click on the site, “Edit Bindings”
  • Select the “https” binding(s) and “Edit” the binding.
  • Select the drop down window and choose the certificate that you just created.
  • If the site has not previously had a certificate installed:
  • You will need to update the bindings to allow acces to the site on port 443.
  • Navigate to your site. Click your site, then click “Bindings” on the right panel.
  • Add bind for “https://” then you will need to select the certificate from the list at the bottom of the window.

Step – 2

Download the Intermediate CA File for SSL123 from the certificate authority site & save it as .cer.

Step – 3

Create a Certificate Snap-in:

Note: Please ensure for step 8 to select ‘Computer Account’, selecting any other option will result in a failed installation.

  1. From the Web Server, Click Start > Run
  2. Type in MMC and Press Enter
  3. Click OK
  4. From the Microsoft Management Console (MMC) menu bar, Click File (in IIS 6.0) or Console (in IIS 5.0) > Add/Remove Snap-in
  5. Click Add
  6. From the list of snap-ins, Select Certificates
  7. Click Add
  8. Select Computer Account
  9. Click Next
  10. Select Local Computer (the computer this console is running on)
  11. Click Finish
  12. In the snap-in list window, Click Close
  13. In the Add/Remove Snap-in Window, Click OK

Step – 4

Install the Intermediate CA file:

  1. From the left pane, Expand the ‘Intermediate Certification Authorities’ folder
  2. Right-Click on ‘Certificates’ folder
  3. Click All Tasks > Import
  4. In the Certificate Import Wizard, Click Next
  5. Click on Browse and locate the Intermediate CA Certificate File (file you downloaded in step 2)
  6. Click Next
  7. Select option ‘Place all certificates in the following store’
  8. Click Browse button and select ‘Intermediate Certification Authorities’
  9. Click OK
  10. Click Next
  11. Click Finish

Note: For IIS 6 and below, restart the web server (IIS Admin services) for the changes to propagate immediately.  For IIS 7/7.5, a reboot or re-create of the HTTPS bindings is required for the settings to take effect.

Courtesy :