How do I install a SSL/TLS certificate on Microsoft Exchange 2013?
Before you begin
- Never share private key files.
- If you plan on using the same certificate on multiple servers always transfer the private key using a secure method (e-mail is not considered a secure method of transfer).
- Make sure you run the SSL Server Test at the end of the installation process to check your certificate configuration against SSL/TLS Best Practices.
Installing your SSL/TLS Certificate on Microsoft Exchange 2013
1. Click the Download button in the pickup wizard to download your certificate files. Clicking the download button will produce a zip file that includes your Server Certificate, the chain/intermediate certificates(s) and the Root certificate. Extract the files from the zip file.
2. On the server, go to Start > Run > type MMC and hit enter.
3. Click File > Add Remove Snap-in.
4. Select Certificates and click Add.
5. Select Local Computer and click Finish.
6. Click Close.
7. Expand Certificates on the left hand side of the console window.
8. Expand the Trusted Root Certification Authorities folder and click on the Certificates sub-folder.
9. Important: Check the list of Trusted Root Certificates to see if there is a root labeled Root Certification Authority - G2. If this root is present, delete the root from the list. You will install another root certificate and chain your certificate to that root to provide backwards compatibility with older devices that do not include the newer SHA-2 root certificate.
10. Right click on the Certificates sub-folder under Trusted Root Certification Authorities and select All Tasks > Import.
11. In the import wizard, browse to the Root.crt file downloaded in step 1 and complete the wizard.
12. In the MMC console, expand the Intermediate Certification Authorities folder. Right click on the Certificates sub-folder and select All Tasks > Import.
13. In the import wizard, browse to the Intermediate1.crt file downloaded in step 1 and complete the wizard.
14. Right click on the Certificates sub-folder under Intermediate Certification Authorities and select All Tasks > Import.
15. In the import wizard, browse to the Intermediate2.crt file downloaded in step 1 and complete the wizard to complete the certificate chain setup process. You should see your Entrust Intermediate certificates listed in the Intermediate Certification Authorities folder. You are now ready to install your signed server certificate.
16. In a web browser, enter the address for your Exchange Admin Center application (https://localhost/ecp) and login with your Exchange Admin credentials.
17. In the left menu, click on Servers and select the correct server name from the drop down. Click on Certificates.
18. There should be a Pending request in the certificate list that was generated when you created your CSR and submitted your request to Entrust. Select the Pending request and click Complete.
19. Enter the path to the ServerCertificate.crt file you download in step 1. For example, you may place your Server Certificate File in a file share with a location of \\CASEXCH2K13\share\ServerCertificate.crt . Click OK to complete the import process.
20. Notice that after you complete the pending request, your Certificate Status should change to Valid.
21. Now that the certificate is imported and shows as valid, you must assign your Exchange services. Double click on the new certificate that appears in the list. In the popup window, click on the Services link on the left side. Check off the services you wish to Enable. In most cases, IIS (Outlook Web Access, Active Sync) and SMTP are selected. Click Save.
22. A warning screen will appear asking you if you want to overwrite the existing/default SMTP certificate. Clicking Yes will assign your new certificate to the service and completes the installation process.