Generating a CSR and Installing an SSL Certificate in Microsoft Exchange 2019
Daniel MartinezShare
Microsoft Exchange 2019 manages its SSL Certificates through its own tooling rather than through standard Windows methods, and the process has a step that catches many administrators off guard.
Importing the SSL Certificate is not enough on its own, because Exchange only uses an SSL Certificate after it has been explicitly assigned to services. This guide covers the full sequence, from generating the Certificate Signing Request (CSR) through to service assignment, using both the Exchange Admin Center and the Exchange Management Shell.
Choosing the Right SSL Certificate for Exchange
Exchange environments almost always need an SSL Certificate covering more than one hostname. A typical deployment secures the primary mail hostname such as mail.yourdomain.com alongside autodiscover.yourdomain.com, which Outlook clients query automatically during profile setup. A Multi-Domain SSL Certificate covers both names, plus any additional namespaces, within a single SSL Certificate. Learn About Multi-Domain SSL Certificates 🔗
Plan the full hostname list before generating the CSR, because every name must be present in the request for it to appear in the issued SSL Certificate.
Generating the CSR
The Exchange Admin Center provides a guided path. Open it in a browser, navigate to Servers and then the Certificates tab, select the server, and click the plus icon to start a new SSL Certificate request.
Choose the option to create a request from a Certificate Authority (CA), enter a friendly name, specify the domains to be secured, complete the organization details, and save the resulting request file to a network share.
The same request can be generated in the Exchange Management Shell with a single command, which many administrators prefer because the full hostname list is visible at once.
New-ExchangeCertificate -GenerateRequest -FriendlyName "Mail SSL Certificate" -SubjectName "CN=mail.yourdomain.com" -DomainName mail.yourdomain.com,autodiscover.yourdomain.com -PrivateKeyExportable $true -RequestFile "\\server\share\yourdomain.req"
Setting the Private Key as exportable matters in multi-server environments, because it allows the completed SSL Certificate to be exported as a Personal Information Exchange (PFX) file and installed on additional Exchange servers later.
Submit the contents of the request file when placing your order, and complete validation as normal. Learn About the Validation Procedure 🔗
Completing the Pending Request
Once issued, your SSL Certificate is available in the tracking system. Download it to the same server where the request was generated, because the pending request and its Private Key exist only there. View Our Tracking & SSL Management 🔗
In the Exchange Admin Center, return to the Certificates tab where the pending request appears with a status of pending. Select it, click Complete under the status notes, and provide the path to the downloaded SSL Certificate file. The status changes to valid once the SSL Certificate pairs with its Private Key.
The Exchange Management Shell equivalent imports the file contents directly.
Import-ExchangeCertificate -Server MAIL01 -FileData ([System.IO.File]::ReadAllBytes("\\server\share\yourdomain.crt"))
Warning : Never delete a pending request before its SSL Certificate has been completed. The pending request holds the Private Key, and deleting it orphans the issued SSL Certificate permanently. If a pending request has already been removed, generate a new CSR and complete a reissue rather than attempting to recover the old request.
With the request completed and the SSL Certificate showing as valid, one essential step remains.
Assigning the SSL Certificate to Exchange Services
This is the step that distinguishes Exchange from a standard web server. The imported SSL Certificate sits unused until services are assigned to it.
In the Exchange Admin Center, edit the SSL Certificate and tick the services it should secure, typically Internet Information Services (IIS) for Outlook on the web and Exchange Web Services, plus Simple Mail Transfer Protocol (SMTP) for transport encryption.
In the Exchange Management Shell, the assignment uses the SSL Certificate thumbprint, which the Get-ExchangeCertificate command lists.
Enable-ExchangeCertificate -Thumbprint AB12CD34EF56AB12CD34EF56AB12CD34EF56AB12 -Services "IIS,SMTP"
When assigning SMTP, Exchange asks whether to overwrite the existing default SSL Certificate. Answer no unless you understand the consequences, because the self-signed default secures internal server to server transport, and replacing it can disrupt mail flow between Exchange servers.
Verifying the Installation
Confirm the assignment took effect by listing the SSL Certificates and their bound services.
Get-ExchangeCertificate | Format-List FriendlyName,Subject,CertificateDomains,Services,NotAfter
Then test from the outside. Browse to Outlook on the web over HTTPS and inspect the SSL Certificate, and run an external scan to confirm the full chain is being served to fresh clients. Trustico® provides free checking tools for this final confirmation. Explore Our Trustico® SSL Tools 🔗
Outlook desktop clients are the strictest verifiers of all, so open a profile and confirm no SSL Certificate warnings appear during connection. A warning naming a hostname usually means a namespace was left out of the SSL Certificate, which a reissue with the corrected hostname list resolves. Learn About Reissuing Your SSL Certificate 🔗
Professional Installation Assistance
Exchange installations involve more moving parts than a standard web server, particularly in environments with multiple servers, hybrid configurations, or load balancers terminating Transport Layer Security (TLS) in front of Exchange.
Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗
