Below services in exchange 2016 requires a SSL certificate to function properly.

  • SMTP.
  • Outlook Webapp.
  • (RPC-over-HTTP) or MAPI-over-HTTP
  • ActiveSync
  • Exchange Web Services (EWS) used for free/busy and other lookups
  • POP or IMAP.

You should always replace the initial self-signed certificate assigned to all services before bringing the server to production. This can be done by following the below process.

  • Login to EAC and select servers on the right hand pane.
  • On servers tab, select certificate on the top right hand side.
  • Select the server on which you need to request and assign the certificate.
  • By default you will see Microsoft Exchange and WMSVC cert(both self-signed certificates).
  • To request a new certificate request, click on the plus sign just below the server name.

  • For internet facing servers it is supposed to have a certificate from Public CA. Create a new request as below.

  • Give a friendly name of your choice to the certificate being requested.

  • I’m going to request a new certificate for root domain here. You can opt for a wild card certificate if required.

  • Select a location to store this certificate request.

You may even choose a different server, where you need to save this request.

  • Select the SAN entries for the certificate, You may go ahead and make changes to SAN entries as per your requirement.

I had added below SAN to meet my requirements and I had also kept * to meet any upcoming requirements in my lab.

A normal scenario requires only basic entries as below for the internet facing servers.

  •, SMTP, POP and IMAP)

  • Provide the organization details as below.

  • Store the certificate request to the below location as .req file.

  • Once the request is created you will find a pending request in EAC as below.

  • Share this request(.req)file with your CA and get the certificate.

    Note: A SAN or Unified Communications certificate is recommended.

  • Once you had received the certificate, import the certificate by selecting complete pending request from the EAC as below.

  • Select the certificate that need to be imported as below.

  • Once the certificate is imported you will find a new valid certificate in the certificate console in EAC.

  • Assign the certificate to respective services as below.

  • Below warning can be ignored as we are replacing the already assigned selfsigned cert with new certificate from public CA.


  • You may verify the cert assigned from the IIS console.

Note: It is recommended to use the same SSL certificate for all of the Exchange servers that has the same namespaces.

By now we had successfully assigned a certificate to all required services in exchange 2016, enjoy the upgraded Enterprise level functionality of Exchange 2016.

By Anoop Karikuzhiyil Babu

Started his career with Exchange 2003 as a Microsoft Support Engineer, later moved to Microsoft Enterprise Unified Communication Team as Premier Engineer. Post handling numerous Premier environments and deployments, currently settled as a Solution Architect for Messaging and Collaboration in United Arab Emirates largest Tier3 Datacenter.