In this article we will have a look at the steps to configure SSL certificates in Exchange 2016 post installation.
If you have exchange 2016 in exchange 2013 coexistence you wouldn’t need to worry about this part. Because the already configured Exchange 2013 CAS server will have the capability to up proxy the requests to Exchange 2016 servers and you can stay relaxed for a while until the you decide to remove the exchange 2013 .
But if you have them in Exchange 2010 coexistence then you will need to move all of your external URL’s and place your SSL certificates into the Exchange 2016 servers.
Now we will have a look at how to place an SSL certificate request in Exchange 2016 and complete them using a third party CA.
The configuration is the same as exchange 2013 and the only change is the for internet facing CAS server will be now internet facing mailbox server.
In-order to perform this action open EAC – click servers – and select certificates
Give it a friendly name as below
Enter the domain name
If you are going to use wild card you can select the wild card certificate option.
Using wild card will cover your root domain and additional it covers one subdomain .
In my case i’m using wild card since its a lab and i’m using a complimentary subscription provided by digicert through MVP program.so in my case it would cover mail.exchangequery.com, Autodiscover.exchangequery.com, owa.exchangequery.com etc.,
If i try Test.mail.exchangequery.com then it will not cover since it covers only one subdomain before that wildcard.
Its always better to use SAN since if its a SSL then your private key will be used in most of the sub domains
After this completes just click on next and choose one internet facing mailbox server in Exchange 2016
Fill the required information as below
place a location to save the private key as below
You can see the cert request generated as below in the location you mentioned
After the above task is completed you can see the certificate request in pending state in the certificates tab as below
Now we can submit this request to a third party CA and get a new SSL certificate for your domain.
There are so many good providers but i recommend digicert as i have seen their support to be very prompt and all together provide a competitive pricing
Now copy paste the CSR request we generated in Exchange 2016 as below .Now you can select the server software as exchange 2013 and with that it would be working until they add exchange 2016.
Once you get the SSL certificate from the certificate provider now we need to complete this request by importing them into the Exchange 2016 internet facing server.
You can see the certificate that we requested in pending state as below
So click on complete and you will get a pop up window to import the SSL certificate.
Just import the certificate that you got from the certificate provider and then complete the request.
Now we have successfully completed the SSL certificate request in Exchange 2016
Imp Notes :
If you are doing a SSL offloading on your reverse proxy like F5 LB’s for the exchange services then you should not follow the above steps.
In that case you just need to make a certificate request from your F5 , generate a certificate for them through public CA and then import on the reverse proxy.
Just uncheck the option require ssl on the IIS exchange virtual directories.Because the connections from the internet to F5 will be ssl encrypted but incoming connections from your F5 to exchange will be http only.
MVP – Exchange Server
Tagged: exchange 2016