Create Certificate Request (CSR) on Exchange 2016

Issue: You need to install a third party ssl certificate on Exchange 2016

Solution: The first step is to create a certificate request that can be submitted to a third party certificate authority.

  1. In Exchange Admin Center, click “Servers” on the left side and then click the “Certificates” tabexch-2016-servers-certificates
  2. Click the Plus Sign to add a new certificate
  3. Click ‘Next’ On the New Exchange Certificate screennew-exchange-certificate
  4. Input a friendly name for your certificate, I generally make this the primary hostname that the certificate will be applied to:
  5. Select “Request Wildcard Certificate” only if you intend to use a Wildcard Certificate.  (Wildcard certificates typically are used to certify an unlimited number of subdomains for your domain, for example * would certify and and any other names.  A wildcard certificate can typically be used and installed on numerous devices as well)
  6. On the “Store Certificate” request screen, select the Exchange 2016 server that the certificate request should be temporarily stored on and click Next.exch-2016-store-certificate-request
  7. Next select the Exchange Services you intend to protect with the certificate.  new-exch-2016-certificate-hostnamesNote: this screen is not really required to be populated, it is more of a wizard/guide that is used to recommend standard subdomains and hostnames that would typically be included in your certificate.  What is selected here will be used to create the recommendations on the screen that follows it.  Don’t worry to much about what is selected as we can review/change it in the next step.
  8. Now review the domain names recommended by the Wizard and confirm they are correct for your needs and situation.  If you intend to use a multiple name UCC certificate then I would typically use and (or instead of ‘mail’ whatever your organization currently uses as the hostname that remote mobile devices and OWA connects to).  You cannot include domain names you don’t own or non-routable domain names like .local.  With a UCC certificate, you would generally put the internal AD name of the Exchange CAS servers only if they are routable domain names.  If they are not, then do not include the AD Computer names of the Exchange Servers – leaving them out will require a bit of advanced configuration later to avoid certificate errors (making the internal client access URL’s the same as the external URL’s).
  9. Populate your organization details in the Certificate Request and click Next:certificate-request-org-details
  10. Populate the UNC path to the location where you would like to save the Certificate Request File:certificate-request-file-path
    Now you can see your certificate request in Exchange 2016:exchange-2016-pending-certificate-request
  11. Now you will need purchase a third party SSL certificate credit from a known third party certificate authority, here are my recommendations for a cheap ssl cert.  You will likely want to chose a multi-name UCC certificate or a Wildcard Certificate if you selected ‘Wildcard’ in the process above.
  12. Submit the contents of the CSR file to your certificate authority, complete the verification process and download your certificate.  Once your certificate is downloaded you will install the Exchange 2016 ssl certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.