Obtain a Server Certificate from a Certification Authority


Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

You can obtain a server certificate from a certification authority (CA). This is one step in the process to configure Secure Sockets Layer (SSL) or Transport Layer Security (TLS). You can obtain server certificates from a third-party CA. A third-party CA may require you to provide identification before a certificate can be issued. You can also issue your own server certificates by using an online CA, such as Microsoft Certificate Services.


Cryptography Next Generation (CNG) certificates are not supported in Microsoft Exchange Server 2010.

For more information about server certificates, see the Windows Server 2003 Internet Information Services (IIS) documentation.


Microsoft Exchange Server 2010 includes a default self-signed SSL certificate. You can replace this certificate with a third-party certificate from a CA. To do this, you must first delete the self-signed certificate. For more information about how to replace the self-signed certificate, see Install an SSL Certificate on a Client Access Server.

Looking for other management tasks related to SSL? Check out Managing SSL for a Client Access Server.



As a security best practice, log on to your computer using an account that isn't in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".

Use the Shell to obtain a server certificate from a certification authority

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.

The code example below outputs the certificate request in Base64 format to the command-line console. You must send the certificate request to a CA within the organization, a trusted CA outside the organization, or a commercial CA. You can do this by pasting the certificate request output into an e-mail message or into the appropriate field on the certificate request Web page of the CA. You can also save the certificate request to a file using a text editor such as Notepad.

The certificate that results has the following attributes associated with it:

  • Subject name: c=<ES>,o=<Woodgrove Bank>,cn=mail1.woodgrovebank.com

  • Subject alternate names: woodgrovebank.com and example.com

  • An exportable private key

New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=Woodgrove Bank, cn=mail1.woodgrovebank.com" -DomainName woodgrovebank.com, example.com -PrivateKeyExportable

Use the procedures specified by your chosen CA to send the certificate request to the CA.

 © 2010 Microsoft Corporation. All rights reserved.