Installing an SSL Certificate on Microsoft Exchange 2010 Server

This article provides a step-by-step instruction on how to install an SSL certificate on Exchange Server 2010.

Generate a Certificate Signing Request from the Exchange Management Console

1. Start the Exchange Management Console Start > Programs > Microsoft Exchnage 2010 > Exchange Management Console
2. Select Server Configuration in the left panel
3. Select New Exchange Certificate in the Right Action Panel
4. Type in a friendly name and click next (i.e. mail.example.com) this will not affect the hostname contained in the CSR
5. Under the Domain Scope window you have the option to enable a Wildcard certificate This may be desired under certain circumstances i.e.
   • You want to use a single certificate for multiple hosts (mail.example.com, autodiscover.example.com...)
   • You are using multiple hostnames for the same services (internal-owa.example.com, external-owa.example.com)
6. If you selected Wildcard you can skip this step. Select the services for which this SSL certificate will be used. Typically Outlook Web App, Exchange ActiveSync, Exchange Web Services, Outlook Anywhere, POP/IMAP and click on Next In the Certificate Domains screen, you should only see 1 FQDN (i.e. mail.example.com) If you see more than one, go back and make corrections - or go further back and select wildcard certificate.
7. Organization and Location - fill in all the fields: Ogranization: Your company's legal name Organization unit: department (i.e. Messaging, IT, Web, etc) Country, City/locality,State/province: enter your location information
8. Click Browse and select where to save the .req Certificate Request file
9. Click Next, New, Finish to complete the CSR.
10. You will now have an additional certificate in the list with "self-signed=TRUE", with no Exchange services assigned to it. We will use this in a later step. For now, you should also be able to open the .req file in a plain text editor (i.e. Notepad) and view it. It should look like this:
    -----BEGIN CERTITICATE REQUEST-----
    [encoded data]
    -----END CERTIFICATE REQUEST-----
    You will need this CSR to place your order for an SSL Certificate. 
    Note: When copying and pasting this CSR, make sure there are 5 dashes to either side of the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUESTand that no white space, extra line breaks or additional characters have been inadvertently added.

Obtain the Intermediate CA Bundle

1. You may need to obtain the an Intermediate CA bundle (this will be provided in the email you receive) for example, for a RapidSSL certificate you would need to Download RapidSSL Intermediate CA bundle (Right Click and Save As intermediate.p7b)
2. Save this file somewhere where it will be accessible by the IIS server

Load the Microsoft Management Console (MMC) with the Certificates Snap-in

1. From the console of the Web Server (IIS) - Click Start
2. Type MMC in the Search Programs and Files field
3. Click on mmc.exe from the programs list
4. If prompted with a permission prompt, click yes
5. From the MMC click File > Add/Remove Snap-In...
6. From the list of Snap-Ins add Certificates
7. Select Computer Account when prompted and click next
8. Select Local Computer and click Finish
9. Click OK in the Add/Remove Snap-In window

Install the Intermediate CA Bundle

1. Expand Certificate and Intermediate Certification Autorities in the right pane of the MMC
2. Beneath Intermediate Certification Autorities right click Certificates and select All Tasks > Import
3. Click Next in the Certificate Import Wizard
4. Click Browse and locate the intermediate.p7b saved previously
5. Click Next
6. By default, the Intermediate Certification Authorities store should be selected, keep this option and click Next
7. Click Finish

Install the Certificate

1. Your SSL certificate will have been sent you via email directly from the issuer. You can also find your certificate from the My Account menu, under Other Items Using a plain text editor (i.e. Notepad) create a text with the extension .cer (i.e. mail_mydomain_com.cer) containing the certificate text. The text file should look like this: 
   -----BEGIN CERTITICATE-----
   [encoded data]
   -----END CERTIFICATE-----
   Note: Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white space, extra line breaks or additional characters have been inadvertently added.
2. Start the Exchange Management Console Start > Programs > Microsoft Exchnage 2010 > Exchange Management Console
3. Select Server Configuration in the left pane
4. Select the certificate listed by it's friendly name that we created during the CSR and right-click
5. Select Complete Pending Request
6. Broswe to the .cer file you created, select Open, Complete. Press F5 to refresh the certificate listing You should now see "False" under "Self Signed" for this certificate. If it still shows true, confirm you selected the correct .cer file and repeat steps 2-5 If that still fails, you can recreate the CSR and have the certificate re-issued as long as the host/domain is not changed.
7. To enable the certificate, right-click it and select "Assign Services to Certificate"
8. Select the server from the list provided, click Next
9. Select the services you want to enable for this certificate, click Next, Assign, Finish The Certificate is now installed, and enabled for use with Exchange. Quick way to confirm; if the certificate was used for Outlook Web Access
   • Open a browser and enter the url https://mail.example.com/owa
   • Click on the lock icon in your browser and view the certificate
   • Verify the expiration date and other details of the certificate

Renewing Expiring Certificates

You do not renew certificates in the same way you renew domain registrations. To extend the validity period you would order a new certificate for the same host and replace your old certificate with the new one. Certificate issuers typically give you an extra month when you renew the certificate during the last 60 days of it's validity period. You can follow the above process to "renew" a certificate that will soon be expired - which is basically ordering a new certificate to replace the old one. Once the new certificate is installed you would assign the services to the new certificate and once verified that the new certificate is in use, you can remove the old certificate by right-clicking on it in the Exchange Management Console and selecting remove.