How to Generate a Certificate Signing Request in Exchange Server 2016

How to Generate a Certificate Signing Request in Exchange Server 2016

The first step to installing a new certificate on an Exchange Server 2016 is creating a certificate request also known as a Certificate Signing Request (CSR). To obtain an Exchange Server SSL 2016 from a Certificate Authority (CA) , you have to first generate a CSR. You then send the certificate request file to the CA. The CA uses the information in the file to issue the certificate for you to install.

You can create certificate requests through either the Exchange Admin Center (EAC) or the Exchange Management Shell.

Creating a certificate request using EAC

  1. Access the EAC of one of your Exchange servers on your browser and log in.
  2. After logging in, click on servers on the left side bar menu then click on the Certificates tab in the menu at the top of the page.
  3. All currently installed Exchange servers should be displayed on the select server drop down menu. Select the exchange server where you want to install the SSL/TLS certificatethen click Add “+”
  1. The New Exchange Certificate wizard should pop up. Choose Create a request for a certificate authority then click Next to proceed. Note: You could also choose the Create a new self-signed certificate
  1. Type a “friendly name” in the *Friendly name for this certificate This name will be displayed on the list of certificates installed on the server. As such, you should make the name easily recognizable and distinguishable from the rest. Click Next to move to the next step.
  1. On the Request a wildcard certificate pop-up, perform one of the following actions:
  • Leave the box unchecked and click Next if you want a certificate for a single host or a subject alternative name (SAN) certificate.
  • If you want a wildcard SSL certificate
  • Check the Request a wildcard certificate box
  • Type the root domain for all the subdomains proceeded by a (*) symbol in the Root domain E.g. *.example.com or *.myrootdomainname.com
  • Click Next
  1. In the *Store certificate request on this server box, click Browse to select the exchange server in which you want to store the certificate request. This server will be later used to complete the certificate request. It will be the first one to have the certificate installed and from which you can later export the TLS certificate from to the other servers.

In the example below, EX16-01 is the choice of server to store the certificate request.

 

Note: If you are creating a certificate request for a wildcard certificate, skip steps 8 and 9 and proceed directly to step 10.

  1. The next step is to select the domain names you want included in your certificate. The wizard pre-populates the list with suggestions for you to include in your certificate request. This list helps you determine the hostnames (both internal and external) required in the certificate for Exchange services which include: POP, Autodiscover, Exchange ActiveSync, Exchange Web Services, IMAP, Outlook Anywhere, Outlook on the web and Offline address book generation (OAB).You can edit the domain list on this page but it is easier to do it on the next page. Click Next.
  1. On this page, you can add more names to the certificate request, edit existing names or remove the unwanted names from the list. Click on the Edit icon to make any changes then click Next to proceed.

 

Note: Since third party SSL certificate providers no longer allow internal hostnames on certificates, make sure you remove internal hostnames from the certificate request.

  1. Specify information about your organization. On this page, fill in all the required fields. These include:
  • Organization name: Type your company’s legally registered name
  • Department name: Type the name of your department. This is typically “Web security” or “IT”
  • City/locality: Type the legal location (City/locality) of your company
  • State/province: Type the legal location (State/province) of your company
  • Country/Region name: Select the legal location (Country or region) of your company from the drop down menu
  1. Enter the UNC path and the filename for the certificate request on the “Save the certificate request to the following file” page. Click Finish when you are done. Example: \\exservername\share\mycertrequest.REQ):

You can now open the certificate request file on a text editor, copy the text from the —–Begin New Certificate Request—– to —–End New Certificate Request tags and paste it in the certificate order form on your CA’s website. You can also send the whole certificate request file if your CA requires a binary certificate request encoded by DER.

After receiving your SSL/TLS certificate, you have to return to the Exchange Admin Center to complete the pending Exchange 2016 certificate request.

Creating a certificate request using Exchange Management Shell

If you prefer using command line interface, you can create a CSR using exchange management shell/PowerShell.

  1. To create a certificate request for a SAN SSL certificate on the local exchange server, use the following syntax:

2(1)

New-ExchangeCertificate -GenerateRequest -RequestFile “\\FileServer01\Data\Contoso Wildcard Cert.req” -FriendlyName “Contoso.com Wildcard Cert” -SubjectName C=US,CN=*.contoso.com

The example above has the following properties:

  • SubjectName: contoso.com in the United States
  • Subject Alternative Name field values
  • Legacy.contoso.com
  • Legacy.contoso.net
  • Mail.contoso.net
  • Autodiscover.contoso.net
  • Autodiscover.contoso.com
  • FriendlyName– Contoso.com SAN cert
  • RequestFile – \\FileServer01\Data\Contoso SAN Cert.req
  1. To create a certificate request for a wildcard certificate on the local exchange server, use the following syntax:

New-ExchangeCertificate -GenerateRequest -RequestFile<FilePathOrUNCPath>\<FileName>.req [-FriendlyName<DescriptiveName>] -SubjectName [C=<CountryOrRegion>,S=<StateOrProvince>,L=<LocalityOrCity>,O=<Organization>,OU=<Department>],CN=<HostNameOrFQDN> [-DomainName<Host1>,<Host2>…] [-BinaryEncoded<$true | $false>] [-KeySize<1024 | 2048 | 4096>] [-Server <ServerIdentity>]

The example above has the following properties:

  • SubjectName– *.contoso.com in the United States C=US, CN=*.contoso.com
  • RequestFile – \\FileServer01\Data\Contoso Wildcard Cert.req
  • FriendlyNamecom Wildcard Cert
  1. To create a request for a single subject certificate, use the following syntax:

New-ExchangeCertificate -GenerateRequest -RequestFile “\\FileServer01\Data\Contoso SAN Cert.req” -FriendlyName “Contoso.com SAN Cert” -SubjectName C=US,CN=mail.contoso.com -DomainName autodiscover.contoso.com,legacy.contoso.com,mail.contoso.net,autodiscover.contoso.net,legacy.contoso.net

The example above has the following properties:

  • SubJectName:contoso.com, C=US, CN=mail.contoso.com
  • RequestFile: \\FileServer01\Data\Mail.contoso.com
  • FriendlyName: mail.contoso.com cert

Notes for the commands:

  • Server– specifies the server on which the request is generated
  • GenerateRequest – prepares a 3rd party certificate request
  • FriendlyName – Is displayed under the name column in GUI
  • SubjectName – The primary FQDN for the certificate
  • DomainName – subject alternate names for the cert
  • PrivateKeyExportable– allows export/import of the certificate to other Exchange servers
  • RequestFile – the export file for the certificate request

 

About author

You might also like

Tech news

Find the newest technology updates on BloggTech

One way to keep abreast or stay updated with the technological proceedings around the global is to stay connected through the net on the websites or blogs which deal with

Tech news

Inexpensive Brands to look for while buying AC

As much as it is important to have an air conditioner at your place in summers, equally important is to find one that can suit all your needs, as well

Tech news

Some Benefits of Upgrading Oracle WebCenter Sites 12c

The site of Webcenter is the name given to the FatWire content server which is followed by the Oracle acquisition of FatWire in the year 2011. For some of the