How to create a self-signed SSL certificate for Exchange Server 2003/2007/2010

A Self signed certificate is prepared for limited access environment like to access webmail and also useful for a test environment.

Step to create self signed certificate on Microsoft exchange server 2003/2007/2010

Step – 1
Open an Exchange Management Shell go to the Start Menu -> Microsoft Exchange You can also start a standard Powershell 2.0 Console and load the Exchange addin by issuing the PS cmdlets:

[PS] C:\>add-PSSnapin *exchange*
[PS] C:\> Get-PsSnapIn -Registered

Step – 2
Within the Exchange Management Shell (EMS) List the existing certificates and the services they are enabled for using:

[PS] C:\>Get-ExchangeCertificate
Thumbprint Services Subject
————— ———— ———-
27A2E4F546791A7D079E24FAD2EC4599B8D95152 IP.WS CN=xyzcomanyname

Step – 3
In EMS, create a new Certificate Request with Alternate Domain Names (for your internal and external hostnames)
[PS] C:\> New-ExchangeCertificate -generaterequest -subjectname “dc=com,dc=mycompany,o=My
Company Inc,cn=webmail.mycompany.com”-domainname
webmail.mycompany.com,webmail.mynetwork.local,xyzcomanyname .mynetwork.local,xyzcomanyname –
PrivateKeyExportable $true -path certrequest_xyzcomanyname.csr

Thus, you will get a new Certificate Request that has been saved in the CSR file “C:\certrequest_xyzcomanyname.csr”. A new Get-ExchangeCertificate cmdlet command will show the new list of certificates, which includes the new certificate request. At this point, the CSR has not been certified, so it can be used.

Note: You can also have some alternative ways to create a Certificate Request on Windows and IIS but this this method is best among all that lets you specify a list of alternate domain names.  (Which is a requirement for multiple organizations running internal/private and external/public networks in parallel).

Step – 4
Before performing the signing of the CSR, make sure that Microsoft’s Certificate Services is installed on your machine. If you have installed this, open the Control Panel, click on Add/Remove Windows Components and check that “Certificate Services” is checked.

Windows Components Wizard

The appeared windows will ask you if you want to install ASP. Click ‘Yes’ if it is required. In the next screen select the type of CA you want to setup. Select “Enterprise root CA” and click “Next”.

You will be asked to enter information about the certificate authority (CA)

  • Common name for this CA: xyzcomanyname.mynetwork.local
  • Distinguished name suffix: DC=mynetwork,DC=local
  • Validity period: 5 years

Click “Next”. The following screens lets you customize database and logs path, leave as default and hit “Next” again, and let Windows install the necessary components.

Step – 5
In the next step, we’ll login to the Microsoft Certificate Server. Open an Internet Explorer browser window and type following URL:

http://xyzcomanyname.mynetwork.local/certsrv

If your server is only configured to support SSL as is the default for a dedicated Exchange machine, “https://xyzcomanyname.mynetwork.local/certsrv”. You will be asked for your Domain credentials, enter them.

Microsoft Certificate Servive

Step – 6
Click on the ‘Request a Certificate’ link and then click on “advanced certificate request”. In the Advanced Certificate Request page, click the “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.” option.

Step – 7
Open the “” certificate request file you created in Step 2 in Notepad. It will look like this

——-BEGIN NEW CERTIFICATE REQUEST——-
OTAuMjBABgkrBgEEAYI3FRQxMzAxAgEBDA9mYXJnby5pZHlsZS5sYW4MC0lEWUxF
ggEughF3ZWJtYWlsLmlkeWxlLmNvbYIPd21haWwuaWR5bGUuY29tgg9mYXJnby5p
ZHlsZS5sYW6CD3dtYWlsLmlkeWxlLmxhboIPZmFyZ28uaWR5bGUubGFugg5tYWls
qw8xdFg6L4eNMqvrW3ZOUb06Du2WOkN8A4mghgFCUDvBihyMVY6nczx+qvJkwPBo
[……..]
ZHlsZS5sYW6CD3dtYWlsLmlkeWxlLmxhboIPZmFyZ28uaWR5bGUubGFugg5tYWls
qw8xdFg6L4eNMqvrW3ZOUb06Du2WOkN8A4mghgFCUDvBihyMVY6nczx+qvJkwPBo
——-END NEW CERTIFICATE REQUEST——-

Step – 8
Paste the complete certificate request into the “Saved Request:” box of the Microsoft Certificate Services web page. Select “Web Server” for the “Certificate Template” and click “Submit”.

Submit a Certificate Request or Renewal Request

Step – 9
Once your certificate has successfully signed and generated, select “Base 64 encoded” option and click “Download certificate”. Save the file on your computer as “C:\certselfsign_xyzcomanyname.cer

Certificate Issued

Step – 10
Go back to the Exchange Management Shell (EMS) and Import the newly self-signed certificate:

[PS] C:\> Import-ExchangeCertificate -path c:certselfsign_xyzcomanyname.cer -friendlyname “My Company xyzcomanyname” 

Step – 11
Verify the certificate has been properly imported and retrieve its Thumbprint with:

[PS] C:\> Get-ExchangeCertificate
Thumbprint Services Subject
————— ———— ———-
9799CEEBEA4FFADE068FC73FE63EB0495DD4F8A0….. CN=webmail.mycompany.com, O=My Comapny Inc, DC=mycompany, DC=com
86214B8F1951E8B062955835D0C4C62D89E8D83F….. CN=xyzcomanyname.mynetwork.local, DC=mynetwork, DC=local
27A2E4F546791A7D079E24FAD2EC4599B8D95152 IP.WS CN=xyzcomanyname

The newly certificate is the one we registered the request for using the public hostname (webmail.mycompany.com). The other new certificate is the certificate for the CA we installed through Microsoft Certificate Services.

Step – 12

In the last step, we have to enable the new certificate for all services we want to use. In our case, I will enable it for IIS (https), POP, IMAP and SMTP.

[PS] C:> Enable-ExchangeCertificate-
thumbprint 9799CEEBEA4FFADE068FC73FE63EB0495DD4F8A0 -services “IIS,POP,IMAP,SMTP”

[PS] C:> Get-ExchangeCertificate
Thumbprint Services Subject
————— ———— ———-
9799CEEBEA4FFADE068FC73FE63EB0495DD4F8A0 IP.WS CN=webmail.mycompany.com, O=My Comapny Inc, DC=mycompany, DC=com
86214B8F1951E8B062955835D0C4C62D89E8D83F ….. CN=xyzcomanyname.mynetwork.local, DC=mynetwork, DC=local
27A2E4F546791A7D079E24FAD2EC4599B8D95152 ….S CN=xyzcomanyname

You’re now all done. Your internal “https://xyzcomanyname.mynetwork.local” and your external “https://webmail.mycompany.com” will both be valid certificates which will let your clients connect through Outlook, through Outlook Web Access (OWA) and through Outlook Anywhere (RPC over HTTPS) for mobile devices.