Digital Certificates are used to secure communication between clients and servers using SSL protocol. In Exchange 2016, self-signed certificates are created by default when you install Exchange 2016. The self-signed certificates are not trusted by other systems so we need to install digital certificate manually. In this post, I will show steps to Install SSL Certificate in Exchange 2016. There are different types of digital certificates available,
- Self-Signed Certificates: These certificates are generated by local application and are only trusted by local systems that generate the certificate. The self-signed certificate created by Exchange server has subject alternative name as the host name of the server itself.
- Windows Public Key Infrastructure (PKI) Certificates: Windows server can be configured as Certificate Authority (CA) by installing Active Directory Certificates Services (AD CS) role. Certificates assigned by windows server CA are what’s known as windows PKI generated certificates. However, these certificates are not trusted by Internet users by default.
- Trusted Third-Party Certificates: These certificates are sold by third party public Certificate Authorities (CAs) and are trusted by wide range of devices on the Internet. Most popular type of third-party certificates are UCC/SAN and Wildcard certificates. UCC/SAN certificates can have multiple domain names in the certificate. Wildcard certificates have *.domain.com subject alternative names in the certificate which eliminates the need for additional sub domain names. Wildcards certificates are not support by older version of applications and devices and can create compatibility issues.
In Exchange 2016, services like Outlook On the Web, EAC, Exchange Web Services, ActiveSync, Outlook Anywhere, Autodiscover and Address Book Distribution uses same digital certificate once it is installed. This is because all these services are in IIS under same default website. One website can have only one digital certificate. Similarly, POP/IMAP and SMTP can also use same or different digital certificate. For simplicity, it is recommended to install same certificate.
The diagram above shows a simple scenario. Exchange 2016 has already been installed. Domain names to be used internally and externally has already been planned. mail.mustbegeek.com domain name will be used by both internal and external users. For autodiscover service, autodiscover.mustbegeek.com domain name will be used. So we need a certificate that can have two subject alternative names, mail.mustbegeek.com and autodiscover.mustbegeek.com domain. Similarly, internal and external URLs have been configured already. Here, I will install UCC/SAN certificate from SSLs.com.
Install SSL Certificate in Exchange 2016
Step 1. Create shared folder with NTFS permission for Exchange Trusted Subsystem group
The certificate request file needs to be stored on a shared folder. So, before creating the certificate request you need to create a shared folder with appropriate NTFS permission. I will create a folder named CSR on the desktop of MBG-EX01 server. You can setup the folder on any location as long as Exchange server can reach the destination.
Now open the properties of the shared folder. Click Sharing tab. Click Advanced Sharing button. Check the option, share this folder to share the folder. Click Permissions box. Provide full control permission for everyone. Click OK two times.
To assign NTFS permission, click Security tab. Under Group or user names, click Edit button to change permission. Click Add add to add Exchange Trusted Subsystem group. Type Exchange Trusted Subsystem and click check names. Click OK after it is found. Assign full permission to Exchange Trusted Subsystem group as shown above. Click OK and click Close.
Step 2. Generate CSR from Exchange server
Now, let’s create certificate signing request (CSR). Log on to Exchange Admin Center (EAC). Click servers on the features pane. Select certificates tab.
You can see there are three default certificates already created. Never delete WMSVC (IIS Web Management Service) certificate. WMSVC is a self-signed certificate and is necessary for remote management of web server. Click + “Add” to add new certificate.
We want to install a public certificate not self-signed certificate. Choose create a request for a certificate from a certification authority option. Click next.
Type friendly name to recognize this certificate. For example, SSL Certificate. Click next.
This option will allow you to generate CSR for wildcard certificate. We need SAN/UC certificate. So don’t choose this option. Leave it unchecked. Click next.
Click browse and select mailbox server. This is the server where certificate request will be stored. Click next.
Here, you can specify which domain names to be included in the certificate. You can leave this default and specify domain names on the next page as shown below.
You can select the unwanted domain names and click – (minus) sign to delete it. And click + “Add” to add additional domain name to be included in the SAN certificate.
Fill in the organization info. Make sure you have filled the boxes correctly. Click Next.
Browse the UNC path of shared folder where the CSR (Certificate Signing Request) file will be stored. Click Finish. You can browse the UNC path to open the file. Open the file with Notepad as shown below. You will see the CSR texts.
Step 3. Process CSR with third-party CA
Now log on to SSLs.com and purchase a multi-domain certificate. I have already purchased and is ready to activate.
Go to All certs. Click New under Status and click Activate. You will be presented with a box to paste a CSR code that we got from Exchange server.
Paste the CSR code that we copied from sslcert.req file. Click READ MY CSR button.
Choose I am installing on Windows Server. Click LOOKS GOOD, ONWARD button.
Review the domain names. These domain names are picked up automatically from the CSR texts pasted. Click ONWARD button.
Now type valid email address in order to verify the domain name. Make sure you have these email addresses. Click GOT IT, ONWARD button.
Fill in the contact information. Click ONWARD button. A verification email will be sent to firstname.lastname@example.org and email@example.com. Verification instruction are also sent in the same email. Verify the contact information.
Step 4. Download and Install certificate
Once you get the certificate in your inbox, download it on the same shared folder. Go back to EAC on the certificates page.
You will see SSL Certificate is in pending status. Click Complete to continue certificate installation.
Type the UNC path of the shared folder including the file name. Don’t forget the .cer extension. Click OK.
The certificate is now installed successfully. As you see the details of the certificate above. It is assigned by COMODO Certificate Authority (CA). It expires on 10/29/2016. Notice, assigned services is set to none. This means the certificate has been installed but is not being used yet. Now double-click the certificate to assign services.
Check services. Check SMTP, IMAP, POP and IIS. Click save. Click Yes on warning that says the certificate will overwrite the current certificate. Now close the Internet Explore and re-open it.
Log on to https://mail.mustbegeek.com/ecp. Find the lock icon in address bar. As you can see above the site is now secured. You can also click view certificates to view details of the certificate.
You can view the subject alternative name as shown above. In this way you can install SSL certificate in Exchange 2016.