After installing Exchange, you need to install SSL certificate in Exchange 2010 to secure email communications. By default a self-signed certificated is created when you install Exchange 2010. The self-signed certificate is not trusted by client computers or computers out on the Internet. So, we need to install public digital certificate which is trusted by all. You can also optionally install internal PKI infrastructure. But most of the time, simply purchasing a public certificate is more easier and preferred method.
Install SSL Certificate in Exchange 2010
Two main types of public certificates are SAN/UCC certificate and wildcard certificate. You can use either of them for Exchange server. SAN/UCC certificate has higher compatibility rate than digital certificate. SAN/UCC certificate can have more than one subject alternative name (domain name). Exchange server requires multiple domain names for OWA access, Autodiscover service, EWS, ActiveSync, Unified Communication, etc. You can plan the domain names to be used for Exchange server. Here, two domain names mail.mustbegeek.com and autodiscover.mustbegeek.com domain will be used. mail.mustbegeek.com domain name to access client access server features like, OWA, EWS, ActiveSync, etc and autodiscover.mustbegeek.com domain name to allow for Outlook and ActiveSync clients to setup their email automatically.
Log on to Exchange 2010. Open Exchange Management Console (EMC). Select Server Configuration on the left-pane. Select the server, MBG-EX01 from the server list.
From the Actions pane on the right, click New Exchange Certificate option.
Type the friendly name to recognize the certificate and click Next.
Under Domain Scope, do not check the option, Enable wildcard certificate. Click Next.
Under Exchange Configuration, you can specify various URLs to be used by various Exchange services. For Outlook Web App and ActiveSync, both internal and external domain name is mail.mustbegeek.com as shown above.
Type mail.mustbegeek.com for outlook anywhere. Type autodiscover.mustbegeek.com for autodiscover URL to use. We won’t be using IMAP/POP and Unified Messaging, so uncheck options below them.
Check option Use mutual TLS to help secure Internet mail and type the domain name mail.mustbegeek.com. If you have Exchange 2007 co-existence then you will need to use legacy domain as well. Check the option use legacy domains and type lecagy.mustbegeek.com if you have Exchange 2007. Click Next.
Under Certificate Domains, you will see the domain names that should be on the digital certificate. So now, you need to purchase a SAN/UC certificate to add these two domain names and subject alternative names. Click Next.
Fill in the company info and click Next.
Click New to create the certificate request.
As you can see the certificate request wizard has completed successfully. The wizard will create a .req file. You can open the file with Notepad and copy the texts to purchase the certificate. You can also see the recommended steps 1,2 and 3. Since we have requirement of multiple domain names to be on the certificate, we now need to purchase a SAN/UC certificate from certificate authority and complete the pending certificate request. You can purchase certificate from Certificate Authorities like, DigiCert, Comodo, etc. I just purchased a SAN certificate, now let’s install it.
Go to Exchange server and on the same page, from the Actions pane, Click Complete Pending Request to install the certificate.
Browse the new certificate and click Complete.
The certificate installation has completed successfully. Now, let’s assign services to the certificate.
Select the new certificate and click Assign Services to Certificate from the Actions pane.
Choose the server and click Next.
Check the services, SMTP and IIS and click Next.
Click Assign to assign services to the certificate.
Click Yes to overwrite existing certificate.
The new certificate installation has been completed successfully. In this way, you can install SSL Certificate in Exchange 2010.