Creating a CSR and installing your SSL certificate on your Microsoft Exchange Server 2016
Use the instructions on this page to use the Exchange Admin Center to create your certificate signing request (CSR) and then to install your SSL certificate on your Exchange 2016 server.
-
To create your certificate signing request (CSR), see Exchange 2016: How to Create Your CSR.
-
To install your SSL certificate, see Exchange 2016: How to Install and Configure Your SSL Certificate.
If you are looking for a simpler way to create CSRs, and install and manage your SSL Certificates, we recommend the DigiCert® Certificate Utility for Windows. With the DigiCert Utility, you can generate a CSR and install an SSL certificate, plus more. See Exchange 2016: Create CSR & Install SSL Certificate with DigiCert Utility.
1. Exchange 2016: How to Create Your CSR
Using the Exchange Admin Center (EAC) to Create Your CSR
-
Access the EAC by opening a browser and browsing to the URL of your server (e.g., https://localhost/ecp).
-
On the Exchange Admin Center credentials page, type your Domain/user name and Password and then click sign in.
-
In the EAC, in the sidebar menu on the left, click Servers and then in the menu at the top of the page, click Certificates.
-
On the Certificates page, in the Select server drop-down list, select your Exchange 2016 server and then click the + symbol.
-
In the new Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.
-
In the *Friendly name for this certificate: box, type a friendly name for the certificate and then click Next.
The friendly name isn't part of the certificate; instead, it's used to identify the certificate.
We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-DigiCert-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
Wildcard Plus Certificate
Note: If your are not creating a csr for a wildcard certificate, click Next.
To create a CSR for a wildcard certificate, do the following:
-
Check Request a wild-card certificate.
-
In the *Root domain: box, type the root domain for all the subdomains (e.g., *.example.com).
-
Click Next.
-
-
In the *Store certificate request on this server box, click Browse…, select the server you want to store the certificate request on, and then click Next.
-
Select Domain(s) to Include on the SSL Certificate
Note: If you are creating a csr for a wildcard certificate, skip this step by clicking Next and Next. Proceed to step 10.
To select the domain(s) that you want included on your SSL certificate, do the following:
-
Click Next.
The wizard populates the list with domains that Exchange 2016 suggest you include in your certificate request.
Although you can edit the list of domains on this page of the wizard, we recommend doing it on the next page.
-
On the next page, review the list of names/domains and use the +, ✏, -, and ✓ symbols to add, edit, remove, and select the domains you want included on your SSL certificate.
-
When you are finished, click Next.
-
-
Under Specify information about your organization, provide the following information and then click Next:
*Organization name: Type your company's legally registered name (e.g., YourCompany, Inc.). *Department name: Type the name of your department within the organization. Frequently this entry will be listed as "IT" or "Web Security". *City/Locality: Type the city/locality where your company is legally located. *State/Province: Type the state/province where your company is legally located. *Country/Region name: In the drop-down list, select the country/region where your company is legally located. -
Under *Save the certificate request to the following file, enter a UNC path to save your CSR to.
Note: Select a location that you can access. You must be able to access the location so that you can use the CSR to order your SSL certificate.
-
Click Finish to generate the CSR and save it to the specified UNC path.
-
Use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it into the DigiCert order form.
-
After you receive your SSL certificate from DigiCert, you can install it.
2. Exchange 2016: How to Install and Configure Your SSL Certificate
If you have not yet created a CSR and ordered your certificate, see Exchange 2016: How to Create Your CSR.
After we validate and issue your SSL certificate, you need to install it on the Windows Exchange Server 2016 where the CSR was generated. Then, you need to configure the server to use it.
Install and Assign Services to Your SSL Certificate with the EAC
Install SSL Certificate
-
Download and open the ZIP file containing your certificate. Your certificate file will be named your_domain_name.cer.
-
Copy the your_domain_name.cer file to your Exchange 2016 server's network share folder (where you saved the CSR).
-
Access the Exchange Admin Center (EAC) by opening a browser and browsing to the URL of your server (e.g., https://localhost/ecp).
-
On the Exchange Admin Center credentials page, enter your Domain/user name and Password and then click sign in.
-
In the EAC, in the sidebar menu on the left, click Servers and then in the menu at the top of the page, click Certificates.
-
On the Certificates page, in the center pane, select your certificate request and then in the certificate request details pane to the right, under Status, click the Complete link.
Note: Certificate request are listed by their friendly names.
-
In the complete pending request wizard, under *File to import, enter the UNC path to where your SSL certificate file is located (e.g., \\example\certificates\your_domain_name.cer) and then click OK.
-
The certificate should be successfully installed on your Exchange 2016 server, and the status of your certificate request should now be Valid.
-
On the Certificates page, in the center pane, select the SSL certificate you just installed and then click ✏ (pencil).
-
In the "certificate" window, click Services.
-
Next, check all the services for which you want to enable your SSL certificate and then click Save.
-
Your SSL certificate should now be enabled for the services you selected on your Exchange 2016 server.
Assign Services
Export SSL Certificate to Your ISA Server - Very Important
When you export an SSL certificate, make sure to include all certificates in the certification chain when prompted. If you do not, your certificate will not work properly.
If you currently use an ISA (Internet Security and Acceleration) server in front of your Exchange 2016 server, or need to export your SSL certificate to any other Microsoft server type, see our Exchange export instructions for a step-by-step walkthrough.
For assistance getting your certificate installed or fixing an SSL installation issue, check out our DigiCert® Certificate Utility for Windows.