The first step to installing an SSL Certificate in Exchange is to generate a CSR (Certificate Signing Request). The following article outlines the steps required to generate the CSR in newer versions of Exchange which will allow you to complete the SSL Certificate request process.
Generate a Certificate Signing Request (CSR) - Exchange 2007
1. Open the Exchange Management Shell by going to Start → Microsoft Exchange Server 20072. Copy the following code and paste it into notepad.exe, notepad will keep the format as plain text.
New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=Your Country, l=Your Locality/City, s=Your State, o=Your Corporation Name,cn=YourMainDomain.com" -domainname SubjectAlternativeName1, SubjectAltName2, SubjectAltName3, SubjectAltName4 -PrivateKeyExportable $true -path c:\certrequest.txt
3. Change the following values in the above code once pasted in notepad:
| c=Your Country | → | Change Your Country to the two letter country code that matches the organization's location. |
| l=Your Locality/City |
→ | Change Your Locality/City to the full name of the organization's city or town. |
| s=Your State | → | Change Your State to the full name of the organization's state or province. |
| o=Your Corporation Name | → | Change Your Corporation Name to the full legal name of the organization. |
| cn=YourMainDomain.com | → | Change YourMainDomain.com to the FQDN (Fully Qualified Domain Name) of the server (ie: mail.example.com) |
If you wish to add SANs Subject Alternative Name) to the certifcate, they will need to be declared in the following code section:
-domainname SubjectAlternativeName1, SubjectAltName2, SubjectAltName3, SubjectAltName4
4. Once the code has been edited with the required organizational changes, copy and paste the edited code into the Exchange Management Shell and hit 'Enter'.
5. If the CSR creation was successful you will see a thumbprint appear in the window. If the thumbprint does not appear, comfirm there were no code editing mistakes.
6. The newly generated CSR will be located in C:\certrequest.txt.
Generate a Certificate Signing Request (CSR) - Exchange 2010
1. Open the Exchange Management Console by going to Start → All Programs → Microsoft Exchange Server 20102. Expand 'Microsoft Exchange On-Premises' on the left console tree.
3. Select 'Server Configuration' on the left console tree.
4. Select 'New Exchange Certificate' on the right action pane and progess through the wizard.
→ Enter a friendly name for the new ssl certificate and click 'Next', this will be the name of the ssl certificate displayed in the Exchange console.
→ If you are creating a CSR for a wildcard certificate, check the box and enter the root domain for the ssl certificate (eg. example.com, *.example.com) and click 'Next'. If you are not creating a CSR for a wildcard domain, leave this page unchecked and click 'Next'.
→ Select the Exchange server services you wish to secure with the SSL Certificate and click 'Next'.
→ Enter the common name for the SSL Certificate (eg: mail.example.com) and click 'Next'.
→ Enter the organization related information for the following:
Organization → The full legal name of your organization.
Organization Unit → The department within the organization responsible for the SSL Certificate.
Country/Region → The country or region where the organization is located.
City/Locality → The full name of the city or town where the organization is located.
State/Province → The full name of the state or province where the organization is located.
5. Save the new CSR to a location on the local server by clicking 'Browse' and entering a file name for the CSR and then click 'Save'.
Generate a Certificate Signing Request (CSR) - Exchange 2013
1. Log in to the Exchange Admin Center by opening a browser window and going to https://localhost/ecp.
2. From the left side menu, click 'Severs' and then 'Certificates' from the top right men. The 'new exchange certificate' wizard window will open.
3. Select 'Create a request for a certificate from the certification authority' and click 'Next'.
→ Enter a friendly name for the new ssl certificate and click 'Next'.
→ If you are creating a CSR for a wildcard certificate, check the box and enter the root domain for the ssl certificate (eg. example.com, *.example.com) and click 'Next'. If you are not creating a CSR for a wildcard domain, leave this page unchecked and click 'Next'.
→ Click 'Browse' to locate the server you wish to store the CSR on and click 'Next'.
→ Select the Exchange server services you wish to secure with the SSL Certificate as well as the domains being used to access the services and click 'Next'.
→ Add any extra domains required for the SSL Certificate to the list (SANs) and click 'Next'.
→ Enter the organization related information for the following:
Organization → The full legal name of your organization.
Organization Unit → The department within the organization responsible for the SSL Certificate.
Country/Region → The country or region where the organization is located.
City/Locality → The full name of the city or town where the organization is located.
State/Province → The full name of the state or province where the organization is located.
