Below services in exchange 2016 requires a SSL certificate to function properly.
- SMTP.
- Outlook Webapp.
- (RPC-over-HTTP) or MAPI-over-HTTP
- ActiveSync
- Exchange Web Services (EWS) used for free/busy and other lookups
- POP or IMAP.
You should always replace the initial self-signed certificate assigned to all services before bringing the server to production. This can be done by following the below process.
- Login to EAC and select servers on the right hand pane.
- On servers tab, select certificate on the top right hand side.
- Select the server on which you need to request and assign the certificate.
- By default you will see Microsoft Exchange and WMSVC cert(both self-signed certificates).
- To request a new certificate request, click on the plus sign just below the server name.
- For internet facing servers it is supposed to have a certificate from Public CA. Create a new request as below.
- Give a friendly name of your choice to the certificate being requested.
- I’m going to request a new certificate for root domain cloudexchangers.com here. You can opt for a wild card certificate if required.
- Select a location to store this certificate request.
You may even choose a different server, where you need to save this request.
- Select the SAN entries for the certificate, You may go ahead and make changes to SAN entries as per your requirement.
I had added below SAN to meet my requirements and I had also kept *.cloudexchangers.com to meet any upcoming requirements in my lab.
A normal scenario requires only basic entries as below for the internet facing servers.
- mail.cloudexchangers.com(HTTPS, SMTP, POP and IMAP)
- autodiscover.cloudexchangers.com
- cloudexchangers.com
-
Provide the organization details as below.
-
Store the certificate request to the below location as .req file.
-
Once the request is created you will find a pending request in EAC as below.
-
Share this request(.req)file with your CA and get the certificate.
Note: A SAN or Unified Communications certificate is recommended.
- Once you had received the certificate, import the certificate by selecting complete pending request from the EAC as below.
- Select the certificate that need to be imported as below.
- Once the certificate is imported you will find a new valid certificate in the certificate console in EAC.
-
Assign the certificate to respective services as below.
- Below warning can be ignored as we are replacing the already assigned selfsigned cert with new certificate from public CA.
-
You may verify the cert assigned from the IIS console.
Note: It is recommended to use the same SSL certificate for all of the Exchange servers that has the same namespaces.
By now we had successfully assigned a certificate to all required services in exchange 2016, enjoy the upgraded Enterprise level functionality of Exchange 2016.