SSL Certificates Installation for Exchange Server 2013 using local PKI

Managing certificates in an Exchange Server deployment is one of the most important administrative tasks. In Exchange 2013, certificate management functionality is provided in the Exchange Administration Console (EAC), the new Exchange 2013 administrative user interface. In Exchange 2013, the focus is on minimizing the number of certificates that an administrator must manage, minimizing the interaction the administrator must have with certificates, and allowing management of certificates from a central location.

Client Access server certificates:

The Client Access server in Exchange 2013 is a stateless thin server designed to accept incoming client connections and proxy them to the correct Mailbox server

 Mailbox server certificates:

Difference between Exchange 2010 and Exchange 2013 is that the certificates that are used on the Exchange 2013 Mailbox server are self-signed certificates. Because all clients connect to an Exchange 2013 Mailbox server through an Exchange 2013 Client Access server, the only certificates that you need to manage are those on the Client Access server. The Client Access server automatically trusts the self-signed certificate on the Mailbox server, so clients will not receive warnings about a self-signed certificate not being trusted, provided that the Client Access server has a non-self-signed certificate from either a Windows certification authority (CA) or a trusted third party. There are no tools or cmdlets available to manage self-signed certificates on the Mailbox server. After the server has been properly installed, you should never need to worry about the certificates on the Mailbox server.

You can use the following cmdlets to manage digital certificates on an Exchange Client Access server:

  • Import-ExchangeCertificate   This cmdlet is used to import certificates to a server. You can import a CA-signed certificate (to complete a pending certificate signing request (CSR)) or a certificate with a private key (PKCS #12 files, generally with a .pfx extension, previously exported from a server along with the private key).
  • Remove-ExchangeCertificate   This cmdlet is used to remove certificates from a server.
  • Enable-ExchangeCertificate   This cmdlet is used to assign services to a certificate.
  • Get-ExchangeCertificate   This cmdlet is used to retrieve an Exchange certificate based on a variety of criteria.
  • New-ExchangeCertificate   This cmdlet is used to create a new self-signed certificate or a CSR.


Here, I am going to update default self-signed certificate of CAS server from Internal PKI Certificate Authority. This server is installed with the Client Access and Mailbox server roles.

Server is located in non internet-facing Client Access server, So I am using internal PKI (CA is installed on local DC) to install the certificate.

Note : If your CAS server is internet facing Client Access Server then you must use third part CA to acquire the SSL certificate like VeriSign, Digicert etc.

In My LAB, I have Server named as below

  • PUNDC01 (Domain Controller, DNS & PKI)
  • PUNMail (Exchange 2013 server with MBX+CAS Role)

Generate Certificate Request:

  1. Login to Exchange Admin Center with Exchange Administrator credential

2. Click the “+” button to start the new Exchange certificate wizard. Choose to create a new certificate request and click Next to continue.


3. Select “Create a request for a certificate from a certificate authority” and click Next to continue.


4.Give the new certificate a friendly name and click Next to continue.


5.Leave Blank and click Next to continue. Although wildcards are supported for Exchange they are not supported for some interoperability scenarios with other server products


6.Select Exchange Server Name to store the certificate request


7.Click the Edit button and enter the domain name that clients will be using to connect to each service, This is dependent upon your organization requirement and naming to access services.


8. As I have mentioned, this is non internet facing server so I just used default.


9.Here, enter your organization details and click Next to continue.


10.Enter a valid UNC path else you will get error as shown below.


11.Enter a valid UNC path to store the certificate request file, and click Finish


12.Explore the location and make sure “Cert.REQ” file is created. Open file in notepad and verify content.


Generate Certificate with PKI:

1.Open CA service Web console using URL http://CAServer/CertSRV and select “Request a Certificate” under select a task


2.Select “advanced Certificate Request”


3.Open “Cert.REQ” file is which is created in section 11. Open file in notepad copy content and pate. Make sure no blank space is left. Select Template “Web Server” and hit to “Submit”


4.Select “DER encoded” and download the certificate


5.Open certificate and verify SAN Name


Assign Certificate to Exchange Server:

Go Back to Exchange Admin Center and click on The pending certificate request. Select certificate and assign it to server.


You are done now !!!! 🙂 🙂

For more details, click here


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

Eine Tolle Reise

Here, you all will come to know about me, about my life and of course some common issues these days!!

Office 365 for IT Pros

The only always up-to-date eBook about the Microsoft 365 cloud Office system, covering Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, Planner, Azure Active Directory, and more

Chirag Patel MVP MCT

Microsoft 365 Specialist

All about Microsoft 365 & Teams

lEt's eNaBle MoDeRn WoRkPlAcE ! News

The latest news on and the WordPress community.

%d bloggers like this: