SSL Certificate - Request
Requesting and installing SSL certificates in Exchange 2010 is a lot easier than it was with Exchange 2007 and is actually better to do through the wizard than the Exchange Management Shell. This page will guide you through that wizard.
September 2012: This information has changed significantly from the advice that has been given out since early 2007 with the release of Exchange 2007.
This is because the SSL vendors consortium has decided to stop issuing SSL certificates that expire after November 2015 to non FQDNs (eg server), non public host names (eg server.example.local) and to private IP addresses.
Therefore the names that you need to include are reduced.
Note: Our screenshots may still include the old naming convention until they can be updated.
This guide also applies to SBS 2011 users, but they should read the notes on this page first.
This guide is aimed at people using an external SSL provider, such as Certificates For Exchange.
- Open the Exchange Management Console, and click on Server Configuration.
- In the lower box labelled "Exchange Certificates", right click and choose "New Exchange Certificate...". You can also select New Exchange Certificate from the Action pane on the right hand side.
- Enter a friendly name. This can be anything that you like. In this example "Exchange 2010" has been used. You could also use the month - so "Exchange 2010 - July 2011" so that it is clear when the certificate was requested.
- In most cases you would not want to Enable wildcard certificate. Therefore just click Next.
- The wizard now asks you lots of questions. Most of these can be skipped and you can enter the names manually on the next screen. However to be able to proceed you need to enter something. Therefore expand Client Access Server (Outlook Web App) and enter the common name of the server.
This can be anything you like - mail.example.com is a common choice. For SBS 2011 systems, you should use remote.example.com as that is what SBS is expecting to use. Then click next.
If you want to know more about each value in this screen and how it affects your server operation - click here for an in depth explanation.
- On the next screen you can enter additional domains that you want on the certificate.
If you have just clicked through the screen above, then you will only have the common name listed. If you completed the boxes then additional names will be included. This includes the root of the domain - "example.com" which is not required and is often set to the common name. This can actually cause issues with the implementation of Outlook Anywhere, so should be removed.
Choose the add button to enter the additional names that are required. For most implementations you need the following:
Name Explanation host.example.com Common Name - as used for external users to access OWA, ActiveSync etc autodiscover.example.com Autodiscover - this is the domain name after the @ sign of the user's email addresses. If the server is supporting multiple domains AND they are the user's primary email address, then you would need to include multiple variants of autodiscover.
If the certificate is going to be used on multiple servers, then you have a number of options.
- Include all of the server names in the SSL certificate. Fine for a small implementation, but could get expensive for anything large.
- Do not include the server name at all, and use a split DNS system to ensure that autodiscover.example.com resolves internally. This will require additional changes to the Exchange client access server which are made in a lter step.
Names you do not need to add
There are a number of host names used with Exchange that do not need to be added to the SSL certificate. The main ones are:
- example.com - the root of the domain. This should be pointing at your public web site rather than an internal resource
- The RPC CAS Array host name. The CAS array should not resolve externally and no clients connect to it internally using web services, therefore there is no need for it to be listed in the SSL certificate.
- The server's real name and FQDN. This used to be added to the list, but as SSL certificate will soon be denied if they include internal only names, these shouldn't be included.
- Once you have entered the names, ensure the correct name is listed as the Common name. Then click Next.
NOTE - the sbs-svr and sbs-svr.sbs2011.local do NOT have to be listed in the request - these are old screenshots.
- In the next box, enter your company legal information. The Organisation should match your company's legal name and the other information should be accurate.
At the bottom, choose a location to store the request file.
- After clicking Next you will get a summary. Clicking Next will generate the certificate request.
- After completing the request, the wizard tells you the kind of certificate that you need and what to do next.
- When the request is complete, you are ready to pass it to your SSL provider. This usually means opening the request in notepad, then copying and pasting it in to the box on their web site.