picture of tbs certificates
picture of tbs certificates
Our products range

Generate a CSR for Microsoft Exchange 2010 - 2013 - 2016 - 2019

Since Exchange 2010, Microsoft wanted all communications to be protected by SSL. Mission almost successful, and the server comes with a self-signed certificate.

For a normal functioning the self-signed certificate has to be replaced by a certificate recognized by web browsers and mobile platforms. You'll have to do the stocktaking of FQDN/SAN you'll need to smooth the services functioning with certificates.

You should look for:
  • the external and/or internal FQDN for Outlook Web Access
  • the external and/or internal FQDN for Exchange ActiveSync
  • the external and/or internal FQDN for Autodiscover, Outlook Anywhere, Web Services
  • the external and/or internal FQDN for POP, IMAP
  • the external and/or internal FQDN for Unified Messaging Server
  • the external and/or internal FQDN for Hub Transport Server
  • the external and/or internal FQDN for Federation Sharing
Warning: The use of certificates containing an internal name (xxx.local, yyy.priv, machine_name) or a domain not registered or not controlled by IANA is disapproved by the CA / Browsers Forum and is no longer accepted by any authority since November 1, 2015 (further information).

We recommend Multi-San certificates for this type of service to be secured, see our comparison table here: Comparison of server SSL certificates with SANs On Exchange 2010, the use of a Wildcard certificate is problematic for the activation of POP and IMAP services.

Once your needs are identified, follow the instructions below or use Microsoft new wizard in Exchange Management Console, at the Server Organization root, New Exchange Certificate.

1- Prepare your order

  • Make sure you are connected to your Exchange server as administrator.
  • Do not enter comma in the fields of your CSR (commas are interpreted as separators).
  • Use only the classic characters (letters from A to Z, numbers, hyphens) in site names. Do not use accents or ! @ # $ % ^ * ( ) ~ ? > < & / \

2- Generate your CSR

Since a Microsoft update and the disabling of UNC paths, you must use the Microsoft Exchange command prompt.

Microsoft Exchange Command Prompt

  • Launch cmdlet New-ExchangeCertificate (in the powershell)

  • Generate a CSR with the following command by adapting it to your organization's coordinates. Put the main (official) name of your server in CN=
    First of all launch the following command line:
    $Data = New-ExchangeCertificate -GenerateRequest -SubjectName "C=FR, O=Mon entreprise SARL, L=Lyon, ST=Rhone," -privatekeyexportable:$true

    You can also use our tool to generate the command line: CSR Creation Assistance

    This command will store your CSR in a $Data variable

  • They, we export the CSR to a file using the following command:
    Set-Content -path "C:\" -Value $Data
  • It is not necessary (we advise against it) to include the other SANs of the future certificate, you will do it on our web form

3- Finalize the order process

  • Place your request on our website using the appropriate link. See Access an order form

  • Copy/paste the CSR file content in the form.

In case of a renewal

Warning: if you wish to renew your certificate, we advise you not to use the "Renew" or "Renewal" function of the Exchange administration console (EMC). Indeed, this function is problematic since it generates CSR in binary format which is not compatible with the standard text format X509 used by most suppliers. See Renew a certificate with Exchange 2010

Useful links