Skip to content

How to Create certificate in Exchange Server

How to create a certificate in Exchange Server? It’s important to secure the connections to Exchange Server with an SSL certificate. Let’s look at how to generate a certificate request, complete the certificate request, and assign the services to the certificate. Use the same steps in this article to renew a third-party certificate in Exchange Server.

Exchange Server certificates

There are three default certificates created when Installing Exchange Server:

In addition to the above default self-signed certificates, you must install a third-party certificate which you obtain from a certification authority (CA) on the Exchange Server:

  • Third-party certificate (CA-signed)

How to create certificate in Exchange Server

Let’s look at the steps to create a third-party certificate in Exchange Server. Run the below commands in Exchange Management Shell.

Step 1. Create shared folder

Sign in to the Exchange Server. This can be the new Exchange Server or one that is already installed and configured. Create a folder on the (C:) drive and give it the name Certs. Right-click the Certs folder and share this folder.

Assign permissions to the folder:

  • Your account (administrator) – Permissions Change/Read Allow
  • SYSTEM – Permissions Change/Read Allow
Assign permissions to folder

Browse to the shared Cert folder path and verify that you can open the folder before proceeding to the next step.

Check shared folder

Step 2. Generate Exchange certificate request

Starting from Exchange Server 2016 CU23 and later and Exchange Server 2019 CU12 and later, the only option to create the Exchange certificate is with PowerShell (Exchange Management Shell).

Note: To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). Read more in the article Exchange Server certificate changes.

Run Exchange Management Shell as administrator. Run the New-ExchangeCertificate cmdlet and fill in the details:

  • Server: Specifies the Exchange Server to generate the request on.
  • GenerateRequest: Prepares a 3rd party certificate request.
  • FriendlyName: The friendly name of the certificate.
  • PrivateKeyExportable: Allow you to export/import the certificate to other Exchange Servers.
  • SubjectName: The subject field of the certificate request.
  • DomainName: Specifies one or more FQDNs.
$txtrequest = New-ExchangeCertificate -Server "EX01-2019" -GenerateRequest -FriendlyName "Exchange Certificate 3rd party" -PrivateKeyExportable $true -SubjectName "c=NL, s=South Holland, l=The Hague, o=EXOIP, ou=IT, cn=mail.exoip.com" -DomainName mail.exoip.com,autodiscover.exoip.com

To create a wildcard certificate request, you should adjust the -SubjectName parameter and remove the -DomainName parameter.

$txtrequest = New-ExchangeCertificate -Server "EX01-2019" -GenerateRequest -FriendlyName "Exchange Certificate 3rd party" -PrivateKeyExportable $true -SubjectName "c=NL, s=South Holland, l=The Hague, o=EXOIP, ou=IT, cn=*.exoip.com"

Run the second command to export the certificate request to the shared folder.

[System.IO.File]::WriteAllBytes('\\ex01-2019\Certs\ExchangeCert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

Sign in to Exchange Admin Center. Go to servers > certificates. Verify that you see the Exchange certificate with the Pending request status.

Create certificate in Exchange Server pending request

Step 3. Process Exchange certificate request

Go to the shared folder and open ExchangeCert.req with Notepad.

Open cert request with Notepad

Next, copy the certificate request.

Create certificate in Exchange Server copy new certificate request

Sign in to the third-party Certificate Authority. This can be any of your choices. Ensure that you select a multi-domain certificate because you have more than one domain name in the certificate.

Create certificate in Exchange Server multiple domains

Paste the copied certificate request and check that the CSR information is correct. It will show the company name and the domains.

Create certificate in Exchange Server CSR information

Proceed further with the payment.

The Certificate Authority will ask you to validate the domain. This can be through an email sent to an email recipient listed on the domain registration or by adding a record in the public DNS.

Step 4. Complete Exchange certificate request

The certificate is ready for you to download from the Certificate Authority. Download and unpack the certificate from the Certificate Authority to the Exchange Server shared folder.

Give the certificate an accessible name. In our example, the certificate name is Exoip.crt.

Create certificate in Exchange Server download certificate to shared folder

Run the Import-ExchangeCertificate cmdlet to complete the pending certificate.

Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('\\ex01-2019\Certs\Exoip.crt')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

The Exchange certificate will show the status Valid.

Create certificate in Exchange Server valid

Step 5. Assign Exchange services to certificate

Double-click the certificate and copy the certificate thumbprint.

Create certificate in Exchange Server copy certificate thumbprint

Run the Enable-ExchangeCertificate cmdlet to assign services to the certificate. Fill in the thumbprint value which you copied.

Enable-ExchangeCertificate -Server "EX01-2019" -Thumbprint 6C31EB21621378CB5454A32F2DF0D1F87FAF69C5 -Services SMTP,IMAP,IIS -Force

Step 6. Restart IIS (Internet Information Services)

Restart the Internet Information Services (IIS) on the Exchange Server.

iisreset

Step 7. Verify new Exchange certificate

Go to Outlook Web Access (OWA) URL or Exchange Admin Center (EAC) URL. Verify that the website connection is secure. Also, check that the Outlook client starts without any errors.

Create certificate in Exchange Server verify certificate

Step 8. Copy certificate to another Exchange Server

Suppose you have more than one Exchange Server. Then you don’t have to do all the steps again. Instead, you can export the certificate and import it to the other Exchange Servers by following the below articles:

Step 9. Renew Exchange Hybrid certificate

If you have an Exchange Hybrid environment, there are a couple more configurations. You must assign the third-party certificate to the Office 365/Microsoft 365 connectors. More on that in the article Renew certificate in Exchange Hybrid.

Conclusion

You learned how to create a certificate in Exchange Server. First, generate a certificate request. Next, complete the certificate request. As of last, assign the services to the certificate. The same steps apply when you want to renew an Exchange Server third-party certificate.

Did you enjoy this article? You may also like Renew Microsoft Exchange Server Auth Certificate. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 24 Comments

  1. Great Article! It is very practical! May I have a question, Exchange Delegation Federation certificate is expired in an Exchange 2016 hybrid deployment environment, there is no clear answer in the Microsoft documentation, thanks in advance.

  2. Hello!

    If we are using our internal CA through Active Directory Certificate Services, can we just issue the certificate through MMC and then use the Import-ExchangeCertificate cmdlet to import? Or do we have to create the request through the New-ExchangeCertificate cmdlet first?

  3. Hello. I used this for the cert request but every time I open Outlook on a client PC I get a ‘The name on the security certificate is invalid or does not match the name of the site.’ error. For the life of me, I can’t figure out why. Could you help? Kind regards, John

  4. Thank you for this. First article I found on this that made sense and actually worked!

  5. If I have imported the certificate and its showing as valid but when i try export it to put on other servers the privatekey isnt there what have i missed?

  6. If I have multiple domains, and want to have a multiple domain wildcard certificate, how can I add multiple wildcard domains in the certificate request?

  7. Thank you for this article! It was very helpful.
    It is amazing to me how difficult Microsoft has made this.

  8. Hi dear Ali,
    Thanks for your superb Exchange-how-to

    After, We generate CSR by powershell, How can I find the private key? where is the path ?

    Best Regards,

  9. You can create the certificate with mmc certificate snapin in the local computer personal store on the exchange server and it will show up in exchange 🙂
    So no need to create it with ems.

  10. I followed your instructions but after running the Import-ExchangeCertificate cmdlet to complete the pending certificate my certificate gets imported on the computer but EAC still shows status Pending request!!! It does not change to Valid. I run MMC and see my certificate is imported. It looks like cmdlet does not work as expected and my MS Exchange 2016 is not aware of new certificate. How do I fix this?

    Before I never had trouble using EAC wizard for this. Is there any way to bring the wizard back? So much easier.

  11. Poor Microsoft along time ago exchange 2010 had cool emc gui and now have only txt console like 30years ago msdos welcome back..

  12. Excellent article!! I really appreciate you breaking all the tasks down in to easily understandable content. You are my go-to when I need to figure something out. Thank you, Ali.

  13. Well Written Article with clear explanation. I think Exchange Engineer understand quickly but if someone learning exchange server this article good for them test VM ware again and again..

Leave a Reply

Your email address will not be published. Required fields are marked *