34 C
Thursday, May 23, 2024

How to Use a Self Signed Certificate in Exchange 2010

Article Updated : Using a internal windows CA certificate with Exchange 2010


Using a Self Sign Certificate can Manage Owa alone, But Issuing a Internal Windows CA Certificate can serve all type of Clients

So will learn how to do it.

We can use a internal windows CA certificate with Exchange 2010 to avoid Cert Errors

Something which you need to know is , Using a Internal Windows CA Certificate you need to install the certificates on every machine you use and Mobile devices other wise you will end up in a certificate error in the IE

So that’s why people prefer going for a 3rd party certificate to overcome it.

In this article We Will Learn issuing a Internal Windows CA Certificate , for this to be used Externally you need to have a CNAME record in your public DNS pointing to your Public IP NAT to your CAS

First we will learn how to Export a Certificate request file from Exchange 2010 ,

Step 1:



Type a Friendly Name :





Wild Card is used if you are going to manage more URLs .For Example : *.Domain.com


Step 2:

Assign the required Services for your Exchange , Give a Tick Mark



You will opt for it if you are planning for Coexistence in OWA in Exchange 2003 and Exchange 2010


Step 3:

You will see the collection for URL’s


Step 4:

Fill out the Form – And set the location for the Cert Request file




Step 5:

Your request file would look like this



Open it via Notepad , because we need this content to generate a Certificate


Step 6:

You need to have this role installed to have a  Certificate Authority , It can be DC or Exchange it self

I have done this in the Exchange itself (No Harm)



Step 7:

Choose : Certification authority , Certification Authority Web Enrollment


Step 8:

Choose Enterprise


Step 9:

Choose Root CA




Step 10:

Create a new Private key



Step 11:

Have this Default with 2048 key Character length


Step 12:

Click Next



Step 13:

By Default Certificate is valid for 5 years , Don’t make any changes on it , Click next



Step 14:



Step 15:

Now if you Open IIS manager , you will see “CertSrv”  a Virtual Directory Created ,

Use the right side column “Browse *.443(https)



Step 16:

You would see a page like this , Choose Request a Certificate


Step 17:

Click on Advanced Certificate Request



Step 18:

Choose the Second one

Submit a certificate request by using a base-64-Encoded CMC


Step 19:

Now Copy the  Note pad  –

Choose Template : WebServer



Step 20:


Choose “Base 64 encoded”


Step 21:

Save the Certificate

image image

Step 22:

Now go to your EMC

Server Configuration – Complete Pending request



Choose the Certificate :




Step 23:

Now Assign Services to the Certificate





Now the Server Part is ready


Step 24:


Now will learn how to install the Certificate in the Client End


Double Click on the Certificate

Click Install Certificate – Click Next –




Choose Personal –




Click Next And Import will be Successful

Now Do the Same Process

Double Click on the Certificate

Click Install Certificate – Click Next – Choose Trusted Root Certification Authorities


Double Click on the Certificate

Click Install Certificate – Click Next – Choose Intermediate Certification Authorities



Step 25:





After installing the Certificate in the Client





Great !!

Now you learnt how to Use a internal windows CA certificate with Exchange 2010




Satheshwaran Manoharan

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles


  1. I like what you guys are up too. Such smart work and reporting! Keep up the excellent works guys I?¦ve incorporated you guys to my blogroll. I think it will improve the value of my site 🙂

  2. I simply want to say I am just very new to blogging and honestly loved you’re web page. Very likely I’m going to bookmark your site . You amazingly have exceptional stories. Thanks for sharing your blog.

  3. Wow that was unusual. I just wrote an really long comment but after I clicked submit my comment didn’t show up. Grrrr… well I’m not writing all that over again. Anyways, just wanted to say excellent blog!

  4. You actually make it seem so easy together with your presentation but I find this topic to be really something that I feel I’d by no means understand. It seems too complicated and very huge for me. I am looking forward in your next put up, I’ll attempt to get the hold of it!

    • I have tried my best to make it . As simple Alva

      If you feel you are confused at some point . let me know. will help you to proceed further.

      Thank you

  5. Good write-up, I’m regular visitor of one’s site, maintain up the nice operate, and It’s going to be a regular visitor for a long time.

  6. Hi ,

    It is a very good guide and I appreciate it. I followed your guide but still I receive certificate error on my client side. the only difference is my CA is on my primary DC. Can you help me!

  7. Hi,
    It certainly is very comprehensive but unfortunately like Dinesh I also still get a certificate error. The error report is that “This certificate cannot be verified up to a trusted certification authority”. When I check using MMC certificate plug-in the certificate is definitely imported into both the trusted root authority, intermediate authority and personal stores – I have tried doing the import both at user and local computer level for these options. Any suggestions will be gratefully accepted – we really cannot afford to go and buy a UCC certificate for this installation?

    • Can you check the Cert ?
      Issued to : “Webmail.Domain.com”
      and the URL you browse “Webmail.domain.com/owa”

      The above “Issued to”and the URL
      should be the same.

      If it differs you will get the error

      • The certificate shows as issued to ‘mail..com’ , issued by –CA. The URL I am accessing is https://mail..com/owa i.e. the certificate ‘issued to’ domain and the URL are definitely the same.
        Also if I try to connect using Outlook Anywhere (which is our real need) I get a message saying ‘the security certificate is not from a trusted certifying authority’, which is pretty much the same error.
        Looking in the client certificate stores via MMC the certificate shows as Issued to mail..com, Issued By –CA, valid to 5 Nov 2014, Intended purposes ‘server authentication’, no friendly name and template ‘WebServer’. It is in the personal store, the trusted root CAs, the Intermediate CAs and I also, in desperation, added it to third-party Root CAs. Still doesn’t work
        Where can I look next to get this going? I am happy to upload or mail the certificate for you to have a look at if you want me to, just don’t want to publish on the net for obvious reasons :).

      • The previous got a bit mangled : to be clear the certificate shows as issued to mail.{domain}.com by an authority {org}-{server}-CA . The URL being accessed is https://mail.{domain}.com/owa .

      • Thought I should also add that the clients on which I am installing the certificates are NOT members of the domain to which the server issuing them belongs. Is this perhaps of relevance?

          • 1. My certificate still doesn’t work for OWA regardless of whether or not it should work for OA.
            2. It isn’t a ‘self-signed’ certificate it is a certificate produced by an internal CA. The two are different things. The self-signed certificate is what we replace with the generated one in step 23 – you can see in your own image that the original ‘Microsoft Exchange’ cert is marked in column ‘Self-signed’ as ‘true’ and this locally generated ‘Exchange Cert’ one is ‘false’.
            3. If it REALLY won’t work for OA (and I still believe it should) then a) what is the point of doing all this as all you gain is the ability to not have to ignore the certificate error to use OWA and b) you really need to make the article much more clear as to what this process is useful for.

          • In addition I have now exported the {org}-{server}-CA from the Trusted Root CA of the server and imported that to the Trusted Root CA of the (non-domain) client. Now OWA works as you describe, as there is a path to a trusted authority. For domain clients they may probably automatically trust the server as it is in the same domain.

            The failure on OA has also changed – I am now now seeing an ‘untrusted certificate error’, just an issue with authentication. I will track that down and post the results.

            Conclusions so far:
            Both OA and OWA should work with a INTERNALLY GENERATED certificate. OWA works with self-signed, OA doesn’t.
            The title of this article is wrong – it’s not about using a self-signed certificate but an internal CA one – and it’s a very comprehensive guide to that.

          • Final Update: all working now. The authentication issue appears to have been down to switching to Kernel mode authentication for the various exchange processes at some point.

            So to summarise – this detailed guide works for both OWA and OA by using an internal CA certificate, with the proviso that for non-domain member PCs you need to import the issuing server’s CA certificate to the Trusted Root CA store, in addition to the Exchange certificate generated as described here.

            Thanks Satheshwaran for creating this guide initially and for our exchange (pardon the pun!) regarding the differences between self-signed and internal CA generated certificates. I hope the clarification will be of value to all readers of this blog.


  8. Hi Graham,
    Have Emailed you on this !

    Issued by Windows CA will work with Outlook anywhere
    But not a Self Sign Cert

    Thank you !

  9. Hi there, I found your web site via Google at the same time as searching for a related subject, your site came up, it looks great. I’ve bookmarked it in my google bookmarks.

  10. Asking questions are in fact good thing if you are not understanding something completely, except this article provides good understanding even.

  11. Hi Satheshwaran,

    Thank you for sharing the knowledge. I was looking for such informative articles. I am trying all sorts of tests to master the Exchange Server domain in my lab environment.
    Once again Thankx bro!

    • Hi Gulab,
      I Understand. But the internal URL of my server is the FQDN of my Server. WHere the Cert has both the entries.
      So both should work right ?

  12. This unique material you presents in this article is a top-notch and great matter. Captivating strategy and also structure in composition. Keep writing this kind of useful details.

  13. My cert is working on Server but l got an error on client PC….. i have also install to Personal,Trusted Root Certification Authorities,Intermediate Certification Authorities…………………..but still got an error with internet explorer 9. kindly guide me.

  14. I have done these steps several times, yet now my exchange does not work anymore. Clients can’t connect with web or outlook. So maybe article is helpful but in my case it set me back to the dark ages.

    • if you have had a Self Signed Cert already. After doing these steps. You have place the new cert in all your devicies.

      That’s the only situation where connected devices goes disconnected. and That’s the disadvantage of a self signed Cert

  15. Thanks for quick reply.
    But certificate does not even show on Exchange or in certificates. I confirmed that I do not have that thumbprint anywhere
    So how can I revert back..make a normal self signed certificate and leave things as they were

    • Go to an old client , Check what cert you had in the past. If you are using the same CA. Try using the same Cert. make sure its not expired

  16. Thanks on your marvelous posting! I actually enjoyed reading it, you might be a
    great author. I will always bookmark your blog and will come back in the foreseeable
    future. I want to encourage you continue your great writing, have a nice holiday weekend!

  17. Hi Satheesh,

    First of all great blog! Congrats for that.

    I’ve a query. My self signed Cert for Ex2k10 got expired & I’ve renewed it using the cmdlet
    Get-ExchangeCertificate -thumbprint “9XXXXXX” | New-ExchangeCertificate
    & removed the expired Certficate.

    However I dint’ do it through Internal CA which we already have in place.
    Now, I had to install the cert manually on all clients. I tried to renew the Cert again from EMC> Server config , but since the cert is already renewed and valid am unable to make a cert request out of that.
    Is there any way so that I can renew a valid certificate or do I have to create a new certificate request in order to create a different certificate through internal CA? please advise.

    Thanks and Regards,

      • I did it and the certificate is already in place. However, since I couldn’t make it with an Internal CA, unable to put the same in Trusted Root Certificates via Group policy in Client Computers.
        Now I’m installing it manually in client PC’s when I get cert error.

        Is there anyway so that I can put the cert in Client PC’s Trusted Root certificates via GPO.


  18. Hi Satheshwaran,

    I hope I had seen this earlier. What a clear step-by-step
    migration guide from Exchange 2003 to 2010.

    I have a question related to generating the CSR code for a new Exchange Certificate.
    Let’s say in a migration process (one Exchange2003 and one Exchange2010 scenario) your “Domain name you use to access Outlook Web App internally” in the Client Access server configuration section is servername.child.domain.com while your OWA on the internet is mail.domain.com.

    1-What should I put for “Hub Transport server” (Use mutual TLS to help secure Internet mail) FQDN of your connector? I put “mail.domain.com”

    I am asking this because by default if I were to ckeck “Use Hub Transport server for POP/IMAP client submission, the FQDN of the connector turns out to be auto filled as “child.domain.com,domain.com”. Is it how it is also supposed to be for the “Hub Transport server” (Use mutual TLS to help secure Internet mail) FQDN of your connector?

    2-Even though I used the following while generating the code (with DigiCert):
    a- Outlook Web App as “mail.domain.com”
    b-ActiveSyn as “mail.domain.com”
    c-Autodiscover as “autodiscover.domain.com”
    d-legacy as “legacy.motovan.com”

    and the names on the certificate are:

    Note: The server FQDN (servername.child.domain.com) and child.domain.com were not included on the cert.

    the “security alert” windows still managed to pop for some internal users. I am pretty confused why is some people only receiving it and not everyone. However, when I tried to load my own outlook profile to a new VM, then I receive the same “security alert” warning which I never received after the certificate was installed from my original PC, puting a red cross at ” The name on the security certificate is invalid or does not match the name of the site” referring to servername.child.domain.com.

    DigiCert wants me to add the FQDN of the server to resolve the issue, is there any other alternative since I left the FQDN of the server out intentionally.

    3- Should “child.domain.com” also be included on the certificate.

    4-Am I missing DNS entries or extra configurations must be done in IIS?

    I am just pretty confused about this. Can you please clarify this for me?

    Thanks in advance for this great site.

  19. Awesome issues here. I’m very happy to look your article. Thank you so much and I am having a look forward to contact you.

    Will you please drop me a e-mail?

  20. Hi Satheshwaran

    How can I configure back the self-signed certificate on my exchange server 2010 if something goes wrong with windows internal CA certificate configuration you described.

    thanks in advance

    • You have to re do the same process. Create req . Get cert. apply again. Until that users will face cert error.

  21. Another advantage is the safety feature. Quite a few solo mess
    devices may, even so, be taken meant for combining.

    If you are seeking for the best ways to find biodegradable plastic extruders to get custom products for
    your company, contact Hall manufacturing.

  22. I do not even know how I ended up right here, however I thought this post was once good.
    I don’t recognize who you are but definitely you are going to a famous blogger if you happen to aren’t already.



Please enter your comment!
Please enter your name here

× How can I help you?