Professional Documents
Culture Documents
Digital Certificates and SSL
Digital Certificates and SSL
TechNet Library
Exchange
Exchange Server 2013
Mailbox and Client Access Servers
Client Access Server
Digital Certificates and SSL
Create a Digital Certificate Request
Exchange 2013 Certificate Management UI
A certificate contains a public key and attaches that public key to the identity of a person,
computer, or service that holds the corresponding private key. The public and private keys
are used by the client and the server to encrypt the data before it's transmitted. For
Windows-based users, computers, and services, trust in a CA is established when there's a
copy of the root certificate in the trusted root certificate store and the certificate contains a
valid certification path. For the certificate to be valid, the certificate must not have been
revoked and the validity period must not have expired.
Types of certificates
There are three primary types of digital certificates: self-signed certificates, Windows PKIgenerated certificates, and third-party certificates.
Self-signed certificates
When you install Exchange 2013, a self-signed certificate is automatically configured on the
Mailbox servers. A self-signed certificate is signed by the application that created it. The
subject and the name of the certificate match. The issuer and the subject are defined on the
certificate. This self-signed certificate is used to encrypt communications between the Client
Access server and the Mailbox server. The Client Access server trusts the self-signed
certificate on the Mailbox server automatically, so no third-party certificate is needed on the
Mailbox server. When you install Exchange 2013, a self-signed certificate is also created on
the Client Access server. This self-signed certificate will allow some client protocols to use
SSL for their communications. Exchange ActiveSync and Outlook Web App can establish an
SSL connection by using a self-signed certificate. Outlook Anywhere won't work with a selfsigned certificate on the Client Access server. Self-signed certificates must be manually
copied to the trusted root certificate store on the client computer or mobile device. When a
client connects to a server over SSL and the server presents a self-signed certificate, the
client will be prompted to verify that the certificate was issued by a trusted authority. The
client must explicitly trust the issuing authority. If the client confirms the trust, then SSL
communications can continue.
Note:
By default, the digital certificate installed on the Mailbox server or servers is a self-signed
certificate. You dont need to replace the self-signed certificate on the Mailbox servers in
your organization with a trusted third-party certificate. The Client Access server
automatically trusts the self-signed certificate on the Mailbox server and no other
configuration is needed for certificates on the Mailbox server.
Frequently, small organizations decide not to use a third-party certificate or not to install
their own PKI to issue their own certificates. They might make this decision because those
solutions are too expensive, because their administrators lack the experience and
knowledge to create their own certificate hierarchy, or for both reasons. The cost is minimal
and the setup is simple when you use self-signed certificates. However, it's much more
difficult to establish an infrastructure for certificate life-cycle management, renewal, trust
management, and revocation when you use self-signed certificates.
store. In this case, neither a self-signed certificate nor a certificate from a Windows PKI CA
can be installed on the mobile device.
IIS
All the following Exchange services use the same certificate on a given Exchange Client
Access server:
Outlook Web App
Exchange Administration Center (EAC)
Exchange Web Services
Exchange ActiveSync
Outlook Anywhere
Autodiscover
POP/IMAP
Certificates that are used for POP or IMAP can be specified separately from the certificate
that's used for IIS. However, to simplify administration, we recommend that you include the
POP or IMAP service name in your IIS certificate and use a single certificate for all these
services.
SMTP
A separate certificate can be used for each receive connector that you configure. The
certificate must include the name that SMTP clients (or other SMTP servers) use to reach
that connector. To simplify certificate management, consider including all names for which
you have to support TLS traffic in a single certificate.
Many Exchange deployments use reverse proxies to publish Exchange services on the
Internet. Reverse proxies can be configured to terminate SSL encryption, examine the traffic
in the clear on the server, and then open a new SSL encryption channel from the reverse
proxy servers to the Exchange servers behind them. This is known as SSL bridging. Another
way to configure the reverse proxy servers is to let the SSL connections pass straight
through to the Exchange servers behind the reverse proxy servers. With either deployment
model, the clients on the Internet connect to the reverse proxy server using a host name for
Exchange access, such as mail.contoso.com. Then the reverse proxy server connects to
Exchange using a different host name, such as the machine name of the Exchange Client
Access server. You don't have to include the machine name of the Exchange Client Access
server on your certificate because most common reverse proxy servers are able to match
the original host name that's used by the client to the internal host name of the Exchange
Client Access server.
Split DNS is a technology that allows you to configure different IP addresses for the same
host name, depending on where the originating DNS request came from. This is also known
as split-horizon DNS, split-view DNS, or split-brain DNS. Split DNS can help you reduce the
number of host names that you must manage for Exchange by allowing your clients to
connect to Exchange through the same host name whether they're connecting from the
Internet or from the intranet. Split DNS allows requests that originate from the intranet to
receive a different IP address than requests that originate from the Internet.
Split DNS is usually unnecessary in a small Exchange deployment because users can access
the same DNS endpoint whether they're coming from the intranet or the Internet. However,
with larger deployments, this configuration will result in too high of a load on your outgoing
Internet proxy server and your reverse proxy server. For larger deployments, configure split
DNS so that, for example, external users access mail.contoso.com and internal users access
internal.contoso.com. Using split DNS for this configuration ensures that your users won't
have to remember to use different host names depending on where they're located.
Kerberos authentication and Kerberos encryption are used for remote Windows PowerShell
access, from both the Exchange Administration Center (EAC) and the Exchange Management
Shell. Therefore, you won't have to configure your SSL certificates for use with remote
Windows PowerShell.
Return to top
To prevent clients from receiving errors regarding untrusted certificates, the certificate that's
used by your Exchange server must be issued by someone that the client trusts. Although
most clients can be configured to trust any certificate or certificate issuer, it's simpler to use
a trusted third-party certificate on your Exchange server. This is because most clients
already trust their root certificates. There are several third-party certificate issuers that offer
certificates configured specifically for Exchange. You can use the EAC to generate certificate
requests that work with most certificate issuers.
Make sure that the CA supports the kinds of certificates that youll use. Consider using
subject alternative name (SAN) certificates. Not all CAs support SAN certificates, and other
CAs don't support as many host names as you might need.
Make sure that the license you buy for the certificates allows you to put the certificate on
the number of servers that you intend to use. Some CAs only allow you to put a certificate
on one server.
Compare certificate prices between CAs.
In addition to using as few certificates as possible, you should also use as few host names as
possible. This practice can save money. Many certificate providers charge a fee based on the
number of host names you add to your certificate.
The most important step you can take to reduce the number of host names that you must
have and, therefore, the complexity of your certificate management, is not to include
individual server host names in your certificate's subject alternative names.
The host names you must include in your Exchange certificates are the host names used by
client applications to connect to Exchange. The following is a list of typical host names that
would be required for a company named Contoso:
Mail.contoso.com This host name covers most connections to Exchange, including
Microsoft Outlook, Outlook Web App, Outlook Anywhere, the Offline Address Book, Exchange
Web Services, POP3, IMAP4, SMTP, Exchange Control Panel, and ActiveSync.
Autodiscover.contoso.com This host name is used by clients that support Autodiscover,
including Microsoft Office Outlook 2007 and later versions, Exchange ActiveSync, and
Exchange Web Services clients.
Legacy.contoso.com This host name is required in a coexistence scenario with Exchange
Server 2003 or Exchange 2007. If you'll have clients with mailboxes on either Exchange
Server 2003 or Exchange 2007 and Exchange 2013, configuring a legacy host name
prevents your users from