Add an SSL certificate to Exchange 2013 for migration to Exchange Online
Some services, such as Outlook Anywhere, Cutover migration to Microsoft 365 or Office 365, and Exchange ActiveSync, require certificates to be configured on your Exchange 2013 server. This article shows you how to configure an SSL certificate from a third-party certificate authority (CA).
What permissions do you need?
In order to add certificates, you need to be assigned the Organization Management role group on the Exchange Server 2013.
Tasks for adding an SSL certificate
Adding an SSL certificate to Exchange Server 2013 is a three-step process.
Create a certificate request
Submit the request to certificate authority
Import the certificate
Create a certificate request
To create a certificate request:
Open the Exchange admin center (EAC) by browsing to the URL of your Client Access server, for example, https://Ex2013CAS/ECP.
Enter your username and password by using the domain\username format for username, and choose Sign in.
Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then choose New .
In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then choose Next.
Specify a name for this certificate, and then choose Next.
If you want to request a wildcard certificate, select Request a wild-card certificate, and then specify the root domain of all subdomains in the Root domain field. If you don't want to request a wildcard certificate and instead want to specify each domain that you want to add to the certificate, leave this page blank. Choose Next.
Choose Browse, and specify an Exchange server to store the certificate on. The server you select should be the internet-facing Client Access server. Choose Next.
For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:
If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the internet) and Outlook Web App (when accessed from the intranet) should show owa.contoso.com. Offline Address Book (OAB) (when accessed from the internet) and OAB (when accessed from the intranet) should show mail.contoso.com.
If you configured the internal URLs to be internal.contoso.com, Outlook Web App (when accessed from the internet) should show owa.contoso.com, and Outlook Web App (when accessed from the intranet) should show internal.contoso.com.
These domains will be used to create the SSL certificate request. Choose Next.
Add any additional domains you want included on the SSL certificate.
Select the domain that you want to be the common name for the certificate > Set as common name. For example, contoso.com. Choose Next.
Provide information about your organization. This information will be included with the SSL certificate. Choose Next.
Specify the network location where you want this certificate request to be saved. Choose Finish.
Submit the request to certificate authority
After you've saved the certificate request, submit the request to your certificate authority (CA). This can be an internal CA or a third-party CA, depending on your organization. Clients that connect to the Client Access server must trust the CA that you use. You can search the CA website for the specific steps for submitting your request.
Import the certificate
After you receive the certificate from the CA, complete the following steps.
To import the certificate request:
On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.
In the certificate request details pane, choose Complete under Status.
On the complete pending request page, specify the path to the SSL certificate file > OK.
Select the new certificate you just added, and then choose Edit .
On the certificate page, choose Services.
Select the services you want to assign to this certificate. At a minimum, you should select SMTP and IIS. Choose Save.
If you receive the warning Overwrite the existing default SMTP certificate?, choose Yes.