Exchange Server 2016 communicates with clients, applications and other servers over a variety of network protocols such as HTTPS, SMTP, IMAP and POP. Much of this communication, particularly clients and applications, involves username and password-based authentication. When user credentials are sent over the network they are sent “in the clear”, meaning they can potentially be intercepted and read by an attacker. Other information transmitted during the session may also be sensitive and prone to abuse if interception was possible.
To secure these communications Exchange Server 2016 uses SSL certificates to encrypt the network traffic between the server, clients and applications. This includes:
- Outlook connecting to Outlook Anywhere (RPC-over-HTTP) or MAPI-over-HTTP
- Web browsers connecting to Outlook on the web (OWA)
- Mobile devices connecting to ActiveSync to access mailboxes and calendars
- Applications connecting to Exchange Web Services (EWS) for free/busy and other lookups
- Email clients connecting to secure POP or IMAP
- TLS encrypted SMTP between Exchange servers or other email servers
01 – Now, let’s create certificate signing request (CSR). Log on to Exchange Admin Center (EAC). Click servers on the features pane. Select certificates tab.
02 – We want to install a public certificate not self-signed certificate. Choose create a request for a certificate from a certification authority option. Click next.
03 – Type friendly name to recognize this certificate. For example, SSL Certificate. Click next.
04 – This option will allow you to generate CSR for wildcard certificate. We need SAN/UC certificate. So don’t choose this option. Leave it unchecked. Click next.
05 – Click browse and select mailbox server. This is the server where certificate request will be stored. Click next.
06 – Here, you can specify which domain names to be included in the certificate. You can leave this default and specify domain names on the next page as shown below.
07 – At the next step you can select and remove any unwanted names, edit existing names, or add more names to the certificate request.
08 – Fill in the organization info. Make sure you have filled the boxes correctly. Click Next.
09 – Browse the UNC path of shared folder where the CSR (Certificate Signing Request) file will be stored. Click Finish.
10 – You can browse the UNC path to open the file. Open the file with Notepad as shown below. You will see the CSR texts.
11 – Go to your enteprrise CA page in the browser (usually https://<CA-ip>/certsrv) and click Request a certificate.
12 – Click advanced certificate request.
13 – Enter the CSR you obtained from the WLC or OpenSSL. In the Certificate Template drop-down list, choose Web Server. (Please Refer to the Pictures)
14 – Downloaded the certificate as filename (ExchangeSSl) then view the file. (Please Refer to the Pictures)
15 – Once you get the certificate in your inbox, download it on the same shared folder. Go back to EAC on the certificates page. You will see SSL Certificate is in pending status.Click Complete to continue certificate installation.
16 – Type the UNC path of the shared folder including the file name. Don’t forget the .cer extension. Click OK.
17 – The certificate is now installed successfully. As you see the details of the certificate above. It is assigned by DC-CLOUD Certificate Authority (CA). It expires on 07/27/2019. Notice, assigned services is set. This means the certificate has been installed but is not being used yet. Now double-click the certificate to assign services.
18 – Check services. Check SMTP, IMAP, POP and IIS. Click save. Click Yes on warning that says the certificate will overwrite the current certificate. Now close the Internet Explore and re-open it.
19 – Log on to https://DC-CLOUD.Sifad.ae/ecp. Find the lock icon in address bar. As you can see above the site is now secured. You can also click view certificates to view details of the certificate. (Please Refer to the Pictures)
You can view the subject alternative name as shown above. In this way you can install SSL certificate in Exchange 2016.
Now we have successfully completed the SSL certificate in Exchange 2016.