Below services in exchange 2016 requires a SSL certificate to function properly.
- Outlook Webapp.
- (RPC-over-HTTP) or MAPI-over-HTTP
- Exchange Web Services (EWS) used for free/busy and other lookups
- POP or IMAP.
You should always replace the initial self-signed certificate assigned to all services before bringing the server to production. This can be done by following the below process.
- Login to EAC and select servers on the right hand pane.
- On servers tab, select certificate on the top right hand side.
- Select the server on which you need to request and assign the certificate.
- By default you will see Microsoft Exchange and WMSVC cert(both self-signed certificates).
- To request a new certificate request, click on the plus sign just below the server name.
- For internet facing servers it is supposed to have a certificate from Public CA. Create a new request as below.
- Give a friendly name of your choice to the certificate being requested.
- I’m going to request a new certificate for root domain cloudexchangers.com here. You can opt for a wild card certificate if required.
- Select a location to store this certificate request.
You may even choose a different server, where you need to save this request.
- Select the SAN entries for the certificate, You may go ahead and make changes to SAN entries as per your requirement.
I had added below SAN to meet my requirements and I had also kept *.cloudexchangers.com to meet any upcoming requirements in my lab.
A normal scenario requires only basic entries as below for the internet facing servers.
- mail.cloudexchangers.com(HTTPS, SMTP, POP and IMAP)
Provide the organization details as below.
Store the certificate request to the below location as .req file.
Once the request is created you will find a pending request in EAC as below.
Share this request(.req)file with your CA and get the certificate.
Note: A SAN or Unified Communications certificate is recommended.
- Once you had received the certificate, import the certificate by selecting complete pending request from the EAC as below.
- Select the certificate that need to be imported as below.
- Once the certificate is imported you will find a new valid certificate in the certificate console in EAC.
Assign the certificate to respective services as below.
- Below warning can be ignored as we are replacing the already assigned selfsigned cert with new certificate from public CA.
You may verify the cert assigned from the IIS console.
Note: It is recommended to use the same SSL certificate for all of the Exchange servers that has the same namespaces.
By now we had successfully assigned a certificate to all required services in exchange 2016, enjoy the upgraded Enterprise level functionality of Exchange 2016.