Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range
Other activities

Generate a CSR for Microsoft Exchange 2010 - 2013 - 2016

In Exchange 2010, Microsoft wanted all the communications to be secured by SSL. It a quasi-complete success and the server is delivered with a self-signed certificate.

For a normal functioning the self-signed certificate has to be replaced by a certificate recognized by web browsers and mobile platforms. You'll have to do the stocktaking of FQDN/SAN you'll need to smooth the services functioning with certificates.

Look for:
  • the external and/or internal FQDN for Outlook Web Access
  • the external and/or internal FQDN for Exchange ActiveSync
  • the external and/or internal FQDN for Autodiscover, Outlook Anywhere, Web Services
  • the external and/or internal FQDN for POP, IMAP
  • the external and/or internal FQDN for Unified Messaging Server
  • the external and/or internal FQDN for Hub Transport Server
  • the external and/or internal FQDN for Federation Sharing
Warning: Using certificates with internal names (xxx.local, yyy.priv, machine_name) or a domain that is not registered or controlled by IANA is disapproved by the CA/Browsers Forum and won't be accepted anymore by November 2015 (further information).

Once your needs are identified, follow the instructions below or use Microsoft new wizard in Exchange Management Console, at the Server Organization root, New Exchange Certificate.

1- Prepare your order

  • Make sure you are connected to your Exchange server as administrator.
  • Do not enter comma in the fields of your CSR (commas are interpreted as separators).
  • Only use standard characters (letters from A to Z, numbers, dash) in your websites' names. Do not use accent nor ! @ # $ % ^ * ( ) ~ ? > < & / \

2- Generate your CSR

  • Launch the New-ExchangeCertificate (in the powershell)
  • generate a CSR with the following command filled with your information. Put the main name of your server in CN=
    N.B.: the following instruction has to be executed with one command line.
  • New-ExchangeCertificate -GenerateRequest -SubjectName 
      "C=FR, O=My company SARL, L=Lyon, ST=Rhone," 
      -privatekeyexportable:$true -Path C:\
  • It is not necessary (actually we advise not to) to include the other SANs of the certificate here, you'll do it on our web form.

<< A positional parameter cannot be found that accepts argument -Path >>

This message can be displayed on some Exchange version. In that case you can generate the command without the -Path argument or execute it with 2 commands, see:
$Data = New-ExchangeCertificate -GenerateRequest -SubjectName 
  "C=FR, O=My Organization, L=Lyon, ST=Rhone," 

Set-Content -path "C:\" -Value $Data

3- Finalize the order process

  • Place your request on our website using the appropriate link. See Access an order form
  • Copy/paste the CSR file content in the form.

In case of a renewal

If you want to renew your SSL certificate with Exchange 2010, you'd better not use the "Renew" function of the Exchange 2010 management console (EMC). Indeed, it generates CSR in binary format that is not compatible with the standard X509 text format used by almost all suppliers. See Renew a certificate with Exchange 2010

See also:

Additional information

N.B.: Using a certificate using a reserved IP or a local name (xxx.local, machine_name) is desapproved by the CA / Browsers Forum and will soon cease to be accepted by certification authorities (more information).