Exchange - SSL Certificates in Exchange SE, 2019, and 2016

This article contains information on generating, installing, and enabling SSL certificates for Microsoft Exchange SE, 2019 and 2016 using the Exchange Admin Center and Exchange Management Shell.

Obtaining SSL Certificates

To use SSL certificates in Microsoft Exchange SE 2016 and 2019, you will need to go through a process of generating a Certificate Signing Request (CSR) on your Microsoft Exchange server, submitting the request to one of the supported Certificate Authorities, and installing the certificate on Microsoft Exchange SE 2016 and 2019.  Once the certificate has been installed you need to enable the certificate for your chosen protocols (detailed later in this guide).

For more information on generating the SSL Certificate using the Exchange Admin Center (EAC), see Create an Exchange Server certificate request for a certification authority.

Command Line CSR Generation (Exchange Management Shell)

See Microsoft Support, for more information on Exchange Management Shell.

You can access the Exchange Management Shell by using the following steps:

1. Log into Microsoft Exchange Server as an Exchange administrator.
2. Open the Exchange Management Shell and use the New-Exchangecertificate cmdlet to generate a new certificate request.

The following command is an example that you could use. This example assumes that your:

• Organization is called Acme Corp.
• Organization is located in the United Kingdom.
• Exchange server's Fully Qualified Domain Name (FQDN) is exchange.acmecorp.com
• Want to export your request to C:\

$txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest [-FriendlyName Exchange Certificate] -SubjectName C=UK,O=AcmeCorp,],CN=exchange.acmecorp.com [-DomainName *.acmecorp.com,] [-KeySize 2048] [-Server exchange.acmecorp.com]

[System.IO.File]::WriteAllBytes('C:\ExcahangeCertificate.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

If you're unsure how to run the above Exchange cmdlet, refer to Microsoft's Support article.

The request.req file now needs to be submitted to the certificate authority for processing.

Installing SSL Certificates

Once the certificate has been issued by the Certificate Authority, you need to import the certificate into the Microsoft Exchange SE 2016 and 2019. After installing the certificate onto your Microsoft Exchange server, you will need to enable it for use with the POP3 protocol.

Command Line Certificate Installation (Exchange Management Shell)

Once the certificate has been issued by the Certificate Authority, create a new file called certnew.cer in the same folder as the request file. Open the certnew.cer file in Notepad and paste the encoded certificate into the file.

Open the Exchange Management Shell and run this command:

If you're unsure how to run the above Exchange cmdlet, see Microsoft's Support Article about installing an SSL Certificate.

Command Line Certificate Enablement (Exchange Management Shell)

After the certificate has been installed, you will need to enable it for use with the POP3 protocol.

The first step is to obtain the certificate-thumbprint of the installed certificate. Open the Exchange Management Shell, and run the following command:

The output should be similar to:

The next step in this process is to enable the SL for use with the POP3 protocol. Open the Exchange Management Shell and run the following command:

If you're unsure how to run the above Exchange cmdlet, see Microsoft's Support Article about configuring SSL Certificates to use multiple client access server host names.

The final step is to ensure that the certificate has been enabled successfully for POP3. Open the Exchange Management Shell and run the following command:

The output should be similar to:

Under Services you should see P (POP3) listed.