Choosing the right SSL certificate for your Microsoft Exchange Server can mean the difference between late nights at the office trying to make things work and being able to get the job done right the first time and not have to continue to worry about it. To help, we’ve put together some information and resources you will find useful if you’ve been tasked with implementing SSL / TLS security with your company’s Exchange servers.
This Exchange SSL Certificate Guide doesn’t have a complete look at all the details – something like that would take up several volumes. With that being said, we’ve put together a definitive list of advice, tools, and tutorials to get you headed in the right direction. As always, if you have any comments, questions, or concerns, feel free to leave a comment below or reach out and contact us.
Recommended Microsoft Exchange Server SSL Certificates
First, here is a list of the recommended SSL certificates no matter what version of Microsoft Exchange you’ll be using.
- Multi-subdomain Wildcard SSL
- Enterprise EV Multi-domain UCC SSL
- Multi-domain UCC SSL
- Premium Multi-subdomain SSL
Each of the above has a different price and features, of course, but they’re the four SSL certificates you’re going to want to consider for your Microsoft Exchange server setup.
Next, we have some of the steps you’re going to want to take in order to make sure the whole process goes as seamlessly as possible. The good news is that it’s not as hard as you might think.
- Determine Your Needs – Do you have a lot of sub-domains in use? If you do have a lot of them, you’re going to want to go with a Unified Communications Certificate that will handle all the sub-domains.
- Choosing Domains to Use – A good way to start out is to look at the sub-domains on your network that are absolutely going to need SSL installed. In some cases, securing all servers isn’t absolutely necessary.
- Come Up With a Plan – You’re going to need to take time to get the job done, of course, but before you begin you should think about everything else you’re going to need. Will the server be down? This is important information.
- Create the Certificate Signing Request – Once you know what type of SSL certificate you’ll be using and what servers it needs to be installed on, you will Create the Certificate Signing Request to a Certificate Authority (like SSL.com). You can run the New-ExchangeCertificate command to create the CSR if you are using Exchange 2013 – the process will be slightly different for earlier versions, as outlined below.
- Install the SSL Certificate – When you have received your certificate, Exchange 2013 users may run the Import-ExchangeCertificate command to install it onto your server. If you don’t get any errors when installing, you can run the Get-ExchangeCertificate command to see how it installed. (Again, steps for users of earlier versions of Exchange will have different commands.)
- Intermediate Certificates – If you get a .crt file, you may need to install intermediate certificates separately. On the other hand, if you’re provided with a .p7b certificate file, the intermediate certificates are likely going to be installed already, which is nice.
Working With Different Microsoft Exchange Versions
Now that you know the general steps you want to take to install an SSL certificate on your Exchange Server from Microsoft, we’re going to take a look at some specific tips and advice for different versions of Exchange that are available and still in use around the world. We’ll start with Microsoft Exchange 2019 and make our way up to earlier versions that are still in use.
Microsoft Exchange 2019
As you probably know, Microsoft Exchange Server 2019 introduces a new set of features, and services to the Exchange server product line. The links below explain the steps on how to create a certificate request as well as how to install the latest version of TLS.
- Create an Exchange Server certificate request for a certification authority (Microsoft)
- Import or install a certificate on an Exchange server (Microsoft)
Microsoft Exchange 2016
The resources below explain how to use the Exchange admin center (EAC) to create a certificate request and install a certificate on the Exchange server.
- Create an Exchange Server certificate request for a certification authority (Microsoft)
- Import or install a certificate on an Exchange server (Microsoft)
Microsoft Exchange 2013
The links below offer some valuable tips to help make sure you install the SSL certificate correctly the first time you try.
- Digital certificates and SSL (Microsoft)
- Exchange 2013 certificate management UI (Microsoft)
Microsoft Exchange 2010
Thirdly, we’re going to take a look at how to install SSL on Microsoft Exchange 2010 servers. The basic steps are going to be the same as with other versions of the popular mail program, but here are a few resources that should prove helpful if you’re installing TLS / SSL on an Exchange 2010 server.
- Exchange 2010 SMTP SSL or TLS Client Access (Microsoft)
- Configuring SSL and Exchange ActiveSync (Microsoft)
Microsoft Exchange 2007
As with other versions of Microsoft Exchange server, you’re going to want to run Import-ExchangeCertificate and Enable-ExchangeCertificate commands once you have created the Certificate Signing Request and gotten your SSL certificate files. Here are some other links you should find helpful.
- Certificate Use in Exchange Server 2007 (Microsoft)
- Exchange 2007 – SMTP SSL (Microsoft)
Microsoft Exchange 2003
Believe it or not, some companies are still using Microsoft Exchange 2003. The good news is that it’s possible to lock it down if you have the right SSL certificate and you’re familiar with all the steps that need to be taken. Here are a couple links that will get you headed in the right direction.
- How to Set Up SSL on Exchange Server 2003 (Microsoft)
- How to configure TLS encryption on Microsoft Exchange 2003 server (Network World)
Is SSL for Microsoft Exchange Server Really Necessary?
In the early days of the internet the answer to this question may have been different, but in the modern world, having SSL / TLS security is an absolute necessity. This is especially true when it comes to email for any sized company. The good news is that it’s not difficult to get SSL installed correctly on your Exchange Server if you take your time and go about it the right way.
While the links and information above is going to be helpful, it’s important to note that networks (by their very nature) are different from one another. This means there might be specific steps you need to take to ensure that you’re protecting your network adequately.
If you have any specific (or general) questions about installing an SSL certificate on any version of Exchange Server, leave a comment below or search the rest of this website. We’re working on several other articles related to Microsoft Exchange Server security in the near future, so stay tuned.