Applies to: Exchange Server 2010 SP1

Topic Last Modified: 2012-07-23

Estimated time to complete: 10 minutes

Digital certificates are an important requirement for secure communications between the on-premises Exchange 2010 hybrid server, clients, and the cloud-based organization. You need to obtain a certificate that can be installed on the hybrid server from a third-party trusted certificate authority (CA). We recommend that your certificate's common name match the primary SMTP domain for your organization.

Learn more at: Understanding Certificate Requirements

Caution:
This topic is meant to be read as part of the Microsoft Exchange Server 2003 and Office 365 Hybrid Deployment checklist. Information or procedures in this topic may depend on prerequisites configured in topics earlier in the checklist. To view the checklist, see Checklist - Exchange 2003 and Office 365 Hybrid Deployment.

How do I obtain a certificate?

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Certificate management" entry in Exchange and Shell Infrastructure Permissions.

Before you can configure certificates on the hybrid server, you need to obtain a certificate from a trusted CA. Complete the following task on the hybrid server if you need to generate a request for a new certificate to use on it.

  1. In the console tree, click Server Configuration for the on-premises Exchange organization node and then select the hybrid server.

  2. From the action pane, click New Exchange Certificate to open the New Exchange Certificate wizard.

  3. On the Introduction page, in the Enter a friendly name for the certificate field, provide a descriptive name for the certificate request, and click Next.

  4. On the Domain Scope page, see the Enable wildcard certificate check box. You can use it to specify the root domain of the wildcard certificate you want to create. Unless you have many domains that you want to include with this certificate, we recommend you do not select this check box. Click Next.

    Note:
    If you choose to enable a wildcard certificate, skip to step 7.
  5. If you didn't enable a wildcard certificate on the Domain Scope page, on the Exchange Configuration page, select each of the following services, then click Next:

    1. Under Client Access server (Outlook Web App), select Outlook Web App is on the Intranet and specify the internal FQDN of your hybrid server. For example, Ex2010.corp.contoso.com. Then select Outlook Web App is on the Internet and specify the external FQDN of your hybrid server. For example, mail2.contoso.com.

    2. Under Client Access server (Exchange ActiveSync), select Exchange Active Sync is enabled and specify the external FQDN of your hybrid server.

    3. Under Client Access server (Web Services, Outlook Anywhere, and Autodiscover), select Exchange Web Services is enabled. Then select Outlook Anywhere is enabled and specify the external FQDN of your hybrid server. Then select Autodiscover is used on the Internet, select Long URL, and specify the Autodiscover URL you want to use for your hybrid server. For example, autodiscover.contoso.com.

    4. Under Hub Transport server   Select Use mutual TLS to help secure Internet Mail and then specify the external FQDN of your hybrid server.

    5. Under Legacy Exchange server   Select Use legacy domains and specify the FQDN of your Exchange 2003 server. For example, mail1.contoso.com.

  6. On the Certificate Domains page, review the domains that will be added to this certificate. Verify the domains you specified on the previous page are present. Then, do the following and click Next:

    1. Click Add and specify the delegation domain for your hybrid server. For example, exchangedelegation.contoso.com. Click OK.

    2. Click Add and specify the OWA domain for your hybrid server. For example, owa.contoso.com. Click OK.

    3. Verify that the external FQDN of your exchange server is set as the common name. If it isn't, select the external FQDN entry and click Set as common name.

  7. On the Organization and Location page, provide the relevant information. Location-related settings apply to the location of your hybrid server. Then click Next.

  8. On the Certificate Configuration page, verify your settings and click New.

  9. On the Completion page, click Finish.

  10. Submit the generated request to a trusted third-party CA. You must select a certificate that allows for the number of domain names you specified in step 6. Follow the instructions from your CA to select and obtain a certificate.

  11. Save the certificate obtained from the CA on a network location accessible to your hybrid server.

Learn more at: Understanding Digital Certificates and SSL

How do I import and configure the certificate?

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Certificate management" entry in Exchange and Shell Infrastructure Permissions.

After you have obtained a certificate, complete the following steps on the hybrid server to import your certificate and configure Exchange services to use the certificate for your hybrid deployment:

  1. In the console tree, click Server Configuration for the on-premises Exchange organization node.

  2. From the action pane, click Import Exchange Certificate to open the Import Exchange Certificate wizard.

  3. On the Introduction page, click Browse to select the file that contains the certificate to be used for the hybrid deployment, and then enter the password for the certificate.

  4. On the Exchange Server Selection page, select the on-premises hybrid server, and then click Next.

  5. On the Import Exchange Certificate page, verify that all previously selected options are correct, and then click Import.

  6. On the Completion page, verify that the certificate import was successful and click Finish.

  7. In the console tree, click Server Configuration for the on-premises Exchange organization node and then select the certificate you just imported.

  8. In the action pane, click Assign Services to Certificate to open the Assign Services to Certificate wizard.

  9. On the Select Servers page, select the on-premises hybrid server, and then click Next.

  10. On the Select Services page, use the check boxes in the Select Services section to choose the services you want to assign to your certificate. If you chose services during certificate creation, check boxes for these services will already be checked. You must, at a minimum, select Simple Mail Transfer Protocol (SMTP) and Internet Information Services (IIS). Click Next.

    Note:
    If the Overwrite the existing default SMTP certificate dialog appears, select Yes.
  11. On the Assign Services page, verify the configuration summary and click Assign.

  12. On the Completion page, verify that all the services were assigned correctly.

How do I know this worked?

The successful completion of the Import Exchange Certificate and the Assign Services to Certificate wizards will be your first indication that importing and assigning services to the certificate worked as expected.

To further verify that the certificate has been successfully imported, you can run the following command in the Exchange Management Shell on the hybrid server to view the certificates in the local certificate store and the services assigned to the certificate.

Copy Code
Get-ExchangeCertificate

Having problems? Ask for help in the Office 365 forums. To access the forums, you'll need to sign in using an account that's granted administrator access to your cloud-based service. Visit the forums at: Office 365 Forums