Install SSL Certificate in Exchange 2016

Spread the love




Digital Certificates are used to secure communication between clients and servers using SSL protocol. In Exchange 2016, self-signed certificates are created by default when you install Exchange 2016. The self-signed certificates are not trusted by other systems so we need to install digital certificate manually. In this post, I will show steps to Install SSL Certificate in Exchange 2016. There are different types of digital certificates available,

  1. Self-Signed Certificates: These certificates are generated by local application and are only trusted by local systems that generate the certificate. The self-signed certificate created by Exchange server has subject alternative name as the host name of the server itself.
  2. Windows Public Key Infrastructure (PKI) Certificates: Windows server can be configured as Certificate Authority (CA) by installing Active Directory Certificates Services (AD CS) role. Certificates assigned by windows server CA are what’s known as windows PKI generated certificates. However, these certificates are not trusted by Internet users by default.
  3. Trusted Third-Party Certificates: These certificates are sold by third party public Certificate Authorities (CAs) and are trusted by wide range of devices on the Internet. Most popular type of third-party certificates are UCC/SAN and Wildcard certificates. UCC/SAN certificates can have multiple domain names in the certificate. Wildcard certificates have *.domain.com subject alternative names in the certificate which eliminates the need for additional sub domain names. Wildcards certificates are not support by older version of applications and devices and can create compatibility issues.

In Exchange 2016, services like Outlook On the WebEAC, Exchange Web Services, ActiveSync, Outlook Anywhere, Autodiscover and Address Book Distribution uses same digital certificate once it is installed. This is because all these services are in IIS under same default website. One website can have only one digital certificate. Similarly, POP/IMAP and SMTP can also use same or different digital certificate. For simplicity, it is recommended to install same certificate.

Exchange 2016 Scenario

The diagram above shows a simple scenario. Exchange 2016 has already been installed. Domain names to be used internally and externally has already been planned. mail.mustbegeek.com domain name will be used by both internal and external users. For autodiscover service, autodiscover.mustbegeek.com domain name will be used. So we need a certificate that can have two subject alternative names, mail.mustbegeek.com and autodiscover.mustbegeek.com domain. Similarly, internal and external URLs have been configured already. Here, I will install UCC/SAN certificate from SSLs.com.



Install SSL Certificate in Exchange 2016

Step 1. Create shared folder with NTFS permission for Exchange Trusted Subsystem group

The certificate request file needs to be stored on a shared folder. So, before creating the certificate request you need to create a shared folder with appropriate NTFS permission. I will create a folder named CSR on the desktop of MBG-EX01 server. You can setup the folder on any location as long as Exchange server can reach the destination.

Install SSL Certificate in Exchange 2016

Now open the properties of the shared folder. Click Sharing tab. Click Advanced Sharing button. Check the option, share this folder to share the folder. Click Permissions box. Provide full control permission for everyone. Click OK two times.

trusted subsystem

To assign NTFS permission, click Security tab. Under Group or user names, click Edit button to change permission. Click Add add to add Exchange Trusted Subsystem group. Type Exchange Trusted Subsystem and click check names. Click OK after it is found. Assign full permission to Exchange Trusted Subsystem group as shown above. Click OK and click Close.

Step 2. Generate CSR from Exchange server

Now, let’s create certificate signing request (CSR). Log on to Exchange Admin Center (EAC). Click servers on the features pane. Select certificates tab.

add new certificate

You can see there are three default certificates already created. Never delete WMSVC (IIS Web Management Service) certificate. WMSVC is a self-signed certificate and is necessary for remote management of web server. Click + “Add” to add new certificate.

CSR

We want to install a public certificate not self-signed certificate. Choose create a request for a certificate from a certification authority option. Click next.

cert name

Type friendly name to recognize this certificate. For example, SSL Certificate. Click next.

Install SSL Certificate in Exchange 2016

This option will allow you to generate CSR for wildcard certificate. We need SAN/UC certificate. So don’t choose this option. Leave it unchecked. Click next.

store csr

Click browse and select mailbox server. This is the server where certificate request will be stored. Click next.

specify domains

Here, you can specify which domain names to be included in the certificate. You can leave this default and specify domain names on the next page as shown below.

domain edit

You can select the unwanted domain names and click – (minus) sign to delete it. And click + “Add” to add additional domain name to be included in the SAN certificate.

organization info

Fill in the organization info. Make sure you have filled the boxes correctly. Click Next.

cert req

Browse the UNC path of shared folder where the CSR (Certificate Signing Request) file will be stored. Click Finish. You can browse the UNC path to open the file. Open the file with Notepad as shown below. You will see the CSR texts. 

CSR Req file

Step 3. Process CSR with third-party CA

Now log on to SSLs.com and purchase a multi-domain certificate. I have already purchased and is ready to activate.

activate cert

Go to All certs. Click New under Status and click Activate. You will be presented with a box to paste a CSR code that we got from Exchange server.

enter CSR

Paste the CSR code that we copied from sslcert.req file. Click READ MY CSR button.

looks good

Choose I am installing on Windows Server. Click LOOKS GOOD, ONWARD button.

domain names

Review the domain names. These domain names are picked up automatically from the CSR texts pasted. Click ONWARD button.

verify domain name

Now type valid email address in order to verify the domain name. Make sure you have these email addresses. Click GOT IT, ONWARD button.

verification

Fill in the contact information. Click ONWARD button. A verification email will be sent to administrator@mustbegeek.com and admin@mustbegeek.com. Verification instruction are also sent in the same email. Verify the contact information.

Step 4. Download and Install certificate

Once you get the certificate in your inbox, download it on the same shared folder. Go back to EAC on the certificates page.

ssl certificate

You will see SSL Certificate is in pending status. Click Complete to continue certificate installation.

complete pending req

Type the UNC path of the shared folder including the file name. Don’t forget the .cer extension. Click OK.

cert completed

The certificate is now installed successfully. As you see the details of the certificate above. It is assigned by COMODO Certificate Authority (CA). It expires on 10/29/2016. Notice, assigned services is set to none. This means the certificate has been installed but is not being used yet. Now double-click the certificate to assign services.

Install SSL Certificate in Exchange 2016

Check services. Check SMTP, IMAP, POP and IIS. Click save. Click Yes on warning that says the certificate will overwrite the current certificate. Now close the Internet Explore and re-open it.

secured

Log on to https://mail.mustbegeek.com/ecp. Find the lock icon in address bar. As you can see above the site is now secured. You can also click view certificates to view details of the certificate.

certificate

You can view the subject alternative name as shown above. In this way you can install SSL certificate in Exchange 2016.




The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.

Latest posts by Bipin (see all)

scroll to top