Table of contents
- Create shared folder
- Create Exchange certificate
- Assign Exchange services to certificate
- Verify new Exchange certificate
- Copy certificate to another Exchange Server
- Renew Exchange Hybrid certificate
Create shared folder
Sign in to the Exchange Server. This can be the new Exchange Server or one that is already installed and configured. Create a folder on the (C:) drive and give it the name Certs. Right-click the Certs folder and share this folder.
Assign permissions to the folder:
- Your account (administrator) – Permissions Change/Read Allow
- SYSTEM – Permissions Change/Read Allow
Browse to the shared Cert folder path and verify that you can open the folder before proceeding to the next step.
Create Exchange certificate
Starting from Exchange Server 2016 CU23 and later and Exchange Server 2019 CU12 and later, the only option to create the Exchange certificate is with PowerShell (Exchange Management Shell).
Note: To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). Read more in the article Exchange Server certificate changes.
Generate Exchange certificate request
Run Exchange Management Shell as administrator. Run the New-ExchangeCertificate cmdlet and fill in the details:
- Server: Specifies the Exchange Server to generate the request on.
- GenerateRequest: Prepares a 3rd party certificate request.
- FriendlyName: The friendly name of the certificate.
- PrivateKeyExportable: Allow you to export/import the certificate to other Exchange Servers.
- SubjectName: The subject field of the certificate request.
- DomainName: Specifies one or more FQDNs.
[PS] C:\>$txtrequest = New-ExchangeCertificate -Server "EX01-2019" -GenerateRequest -FriendlyName "Exchange Certificate 3rd party" -PrivateKeyExportable $true -SubjectName "c=NL, s=South Holland, l=The Hague, o=EXOIP, ou=IT, cn=mail.exoip.com" -DomainName mail.exoip.com,autodiscover.exoip.com
To create a wildcard certificate request, you should adjust the -SubjectName parameter and remove the -DomainName parameter.
[PS] C:\>$txtrequest = New-ExchangeCertificate -Server "EX01-2019" -GenerateRequest -FriendlyName "Exchange Certificate 3rd party" -PrivateKeyExportable $true -SubjectName "c=NL, s=South Holland, l=The Hague, o=EXOIP, ou=IT, cn=*.exoip.com"
Run the second command to export the certificate request to the shared folder.
[PS] C:\>[System.IO.File]::WriteAllBytes('\\ex01-2019\Certs\ExchangeCert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))
Sign in to Exchange Admin Center. Go to servers > certificates. Verify that you see the Exchange certificate with the Pending request status.
Process Exchange certificate request
Go to the shared folder and open ExchangeCert.req with Notepad.
Next, copy the certificate request.
Sign in to the third-party Certificate Authority. This can be any of your choices. Ensure that you select a multi-domain certificate because you have more than one domain name in the certificate.
Paste the copied certificate request and check that the CSR information is correct. It will show the company name and the domains.
Proceed further with the payment.
The Certificate Authority will ask you to validate the domain. This can be through an email sent to an email recipient listed on the domain registration or by adding a record in the public DNS.
Complete Exchange certificate request
The certificate is ready for you to download from the Certificate Authority. Download and unpack the certificate from the Certificate Authority to the Exchange Server shared folder.
Give the certificate an accessible name. In our example, the certificate name is Exoip.crt.
Run the Import-ExchangeCertificate cmdlet to complete the pending certificate.
[PS] C:\>Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('\\ex01-2019\Certs\Exoip.crt')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)
The Exchange certificate will show the status Valid.
Assign Exchange services to certificate
Double-click the certificate and copy the certificate thumbprint.
Run the Enable-ExchangeCertificate cmdlet to assign services to the certificate. Fill in the thumbprint value which you copied.
[PS] C:\>Enable-ExchangeCertificate -Server "EX01-2019" -Thumbprint 6C31EB21621378CB5454A32F2DF0D1F87FAF69C5 -Services SMTP,IMAP,IIS -Force
Restart the Internet Information Services (IIS) on the Exchange Server.
Verify new Exchange certificate
Go to Outlook Web Access (OWA) URL or Exchange Admin Center (EAC) URL. Verify that the website connection is secure. Also, check that the Outlook client starts without any errors.
Copy certificate to another Exchange Server
Suppose you have more than one Exchange Server. Then you don’t have to do all the steps again. Instead, you can export the certificate and import it to the other Exchange Servers by following the below articles:
Renew Exchange Hybrid certificate
If you have an Exchange Hybrid environment, there are a couple more configurations. You must assign the third-party certificate to the Office 365/Microsoft 365 connectors. More on that in the article Renew certificate in Exchange Hybrid.