Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-03-20

This topic describes how to obtain a server certificate from a certification authority (CA). Obtaining a server certificate from a certification authority is one step in configuring Secure Sockets Layer (SSL) or Transport Layer Security (TLS). You can obtain server certificates from a third-party CA. A third-party CA may require that you provide proof of identity before a certificate is issued. You can also issue your own server certificates by using an online CA, such as Microsoft Certificate Services. 

For more information about server certificates, see the Microsoft Windows Server 2003 IIS documentation.

Microsoft Exchange Server 2007 includes a default self-signed Secure Sockets Layer (SSL) certificate. You can replace this certificate with a third-party certificate from a certification authority. To do this, you must first delete the self-signed certificate. For more information about how to replace the self-signed certificate, see How to Install an SSL Certificate on a Client Access Server.

Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange View-Only Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

Before you perform this procedure, you must read Managing Client Access Security.
As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".


To use the Exchange Management Shell to obtain a server certificate from a certification authority

  1. Run the following command:

    Copy Code
    New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso Corporation," -domainname CAS01,,, , -PrivateKeyExportable:$true -path c:\certrequest_cas01.txt

    This command will create a text file that contains a certificate request in PKCS#10 format.

  2. Use the procedures specified by your chosen CA to send the certificate request to the CA.

For More Information

For more information about the procedures that you must follow to configure SSL for Outlook Web Access and Exchange ActiveSync, see the following topics.