Back to Blog

Exchange 2010 3rd Party SSL Certificates: The Whole Story

Image of Theresa Miller
Theresa Miller
Exchange 2013 configurations

Eventually all good things come to an end and that’s no exception to our 3rd party certificates that allow access to Outlook Web App and other web-based Exchange workloads such as Active Sync or Outlook. This article provides a step by step process on how to update your Exchange 2010 certificates from start to finish. This article also assumes we are using a DigiCert wildcard certificate. Most of this work can be pre-staged before the actual implementation and is highlighted below. With that, let’s begin!

Generate a CSR

Generating a CSR and making sure it has been well documented on multiple websites is the first step to obtaining an updated wildcard certificate for your Exchange 2010 environment. To ensure that your certificate has a private key refer to the “Using Shell to create a new Exchange Certificate” section in the TechNet article for generating your CSR appropriately.

Whether or not the private key should be exported depends on the application or the organization, and is a requirement for Exchange. The private key certificate is used so the 3rd party certificate can also be used across multiple Exchange servers. The certificate can also be used on the system or device that can authenticate external connections to ActiveSync, Outlook Web App or Outlook Anywhere. An example of this would be Threat Management Gateway (TMG), User Access Gateway (UAG) or a network based appliance. Be sure to investigate these requirements before the certificate updates on the Exchange server. This will need to be done in conjunction with the work below.

Another consideration to make are these same 3rd party private certificates which can be used for Unified Messaging (UM) for both the Exchange Unified Messaging Service and Exchange Unified Messaging Call Router Service if you choose not to use the locally Self-signed certificates. If your organization is planning to integrate UM with Microsoft Lync then it is recommended that you use 3rd party certificates instead of Self-signed certificates (additional details on using 3rd party certificates instead of Self-signed certificates).

Import the Certificate to an Exchange Server

Once your 3rd party certificate provider has generated the new certificate it must be downloaded onto the server that the CSR was generated from.  If a different Exchange server is used to import the certificate then the private key will not be exportable. 

    1. Go into Certificates and choose All Tasks, Import...
       
    2. Click Next

Computer script window

    1. Browse to the location of the certificate and click next

computer directory window

    1. Place in Personal Store and click Next

Computer setup wizard window

    1. Click Finish

Computer code

Export Private Key Certificate

Exchange is expecting that the certificate used will be the private key certificate.  The following steps will provide guidance on how to do this.

    1. Open the Certificate Management MMC
    2. Expand Certificates, Personal and Certificates
    3. Right-click on the certificate that was just imported and choose All Tasks, Export

computer directory window

    1. Click Next

computer code

    1. Choose, “Yes, Export the Private Key” and click Next

certificate export wizard window

    1. Check the boxes for “Include all certificates in the certification path if possible” and the “Export all extended properties” and then click Next

certificate export wizard window

    1. Fill in a password and then document the password for future reference and click Next

Note: If you need to export the private key certificate again for any reason this exact password will be required.

computer setup wizard

    1. Browse to a location on the file system where the private key certificate will be exported to and provide a file name similar to what is shown below. Then click Next.

computer setup wizard

    1. Click Finish

computer certificate wizard

Import the Private Key Certificate into the Certificate Store

**Important: This must be done on each Exchange server in your environment that requires a certificate. The same private key certificate file should be used across all of the servers**

    1. Open the Certificate MMC
    2. Expand Certificates, Personal, Certificates
    3. Right-click on Certificates, select All Tasks and choose Import

computer directory

    1. Click Next

computer setup wizard

    1. Browse to the private key certificate that was exported and click Next

computer setup wizard

  1. Enter the password of the private key certificate. This is the same password used in the previous section.
    1. Verify the “Mark this key as exportable”. This will allow you to back up or transport your keys at a later time” is checked
    2. Verify the “Include all extended properties” is checked
    3. Click Next

computer setup wizard

  1. Place all of the certificates in the personal store and click Next

certificate import wizard

  1. Click Finish

computer import wizard

  1. Verify that the certificate has been imported to Personal certificates and that the Intermediate Certificate is installed on the server. See examples on where to verify this below.

.9
computer directory window

Apply the Private Key Certificate to Each Exchange Server

This will cause a brief interruption of service to your users. If your organization requires change management and downtime for this type of work do not proceed until that approval is acquired.
  1. Open the Exchange Management Console
  2. Select Server Configuration on the left side of your screen

Note: It may take up to 30 seconds for the Exchange certificates to load on the bottom of the screen

  1. On the right side of your screen choose the server that will receive the new certificate

computer configuration window

  1. On the bottom section of the screen under Exchange Certificates right click on the certificate that was just imported
  2. Choose Assign Services to Certificate…

Exchange certificate window

  1. Make sure the server you are expecting to update the certificate on is listed in the Select Servers section and then click Next

Certificate assignment window

  1. Select the check boxes for SMTP and IIS

Note: The other options such as POP and IMAP will only be required if these are configured for external access are secured via SSL. For more information on when POP or IMAP may need to be used see the following Technet Article http://technet.microsoft.com/en-us/library/jj657728(v=exchg.150).aspx

  1. Click Next

certificate assignment window

  1. Click Assign

certificate assignment window

  1. Click “Yes to All”

computer configuration window

  1. Click Finish

computer certificate assignment window

  1. Verify in the console that the new certificate is applied

Computer configure window

  1. Test Outlook Web App to verify that the certificate was successfully supplied

Voila! After following these steps, the certificates on your Exchange server will have been successfully completed.


How to reconfigure Outlook on MAC to use Modern Authentication

Image of Edward van Biljon
Edward van Biljon

In earlier post on this blog we discussed Microsoft turning off basic authentication and what you...

Read more

How to reconfigure Outlook on Android to use Modern Authentication

Image of Edward van Biljon
Edward van Biljon

Android OS – Changing from basic auth to modern auth connectivity on your Android mobile device....

Read more