Secure Sockets Layer (SSL) certificates help to protect communication between your Exchange servers and clients and other mail servers by encrypting data and, optionally, identifying each side of the connection. Certificates can be issued by third-party certificate authorities (CAs), issued by an internal CA, or self-signed.
Best practies names should be included in the certificate:
- Common Name (CN):
- Subject Alternative Names (SAN)
Exchange 2013 SSL Certificates CSR Creation
If you already have your SSL Certificate and just need to install it, see Exchange 2013 SSL Installation Instructions.
Create your CSR with Exchange PowerShell
Run the following commands.
- $reqfile = New-ExchangeCertificate -GenerateRequest -SubjectName “C=US,o=Contoso,cn=mail.domain.com” -DomainName “mail.domain.com, autodiscover.domain.com, domain.com” -PrivateKeyExportable $true
- $reqfile | out-file c:\certreq.txt
Create your CSR with the New Exchange Certificate Wizard
- Access the Exchange Admin Center by opening a browser and browsing to https://localhost/ecp
- Login using Domain\user nameas the format for the user name and enter your password.
- Click the link to Serversin the left column, then Certificates at the top right, then the + symbole
- The “new exchange certificate” wizard will appear in a pop-up window
- Choose “Create a request for a certificate from a certification authority”
- In the friendly name field, enter a name by which you will remember this certificate in the future.
—This name is not an integral part of your certificate request.
- You can check the box and enter the root domain name if you will be generating the CSR for a wildcard. Otherwise, just go to the next screen.
- Hit Browse to choose which server you want to store the certificate request on.
- If you are doing a wildcard cert, you will skip this step. From the list, select the services which you plan on running securely by using Ctrl+Click to highlight the services.
At the next screen, you will be able to review a list of the names which Exchange 2013 suggests you include in your certificate request.
—Review those names and add any extra names by using the + button.
- Your Organization name should be the full legal name of your company.
—Your Department name is your department within the organization.
—If you do not have a state/province, enter the city information again.
- Enter a network share path to save the CSR to your computer as a .req file, then Finish.
- You should now be able to open the CSR with notepad or WordPad, and you will want to copy the entire body of that file into the Public CA or internal CA order process.
- After you receive or download your SSL Certificate, you can install it.
For commercial certificate authorities I recommend using Digicert.