picture of tbs certificates
picture of tbs certificates
Our products range

Generate a CSR for Microsoft Exchange 2010 - 2013 - 2016 - 2019

Since Exchange 2010, Microsoft wanted all communications to be protected by SSL. Mission almost successful, and the server comes with a self-signed certificate.

For a normal functioning the self-signed certificate has to be replaced by a certificate recognized by web browsers and mobile platforms. You'll have to do the stocktaking of FQDN/SAN you'll need to smooth the services functioning with certificates.

Look for:
  • the external and/or internal FQDN for Outlook Web Access
  • the external and/or internal FQDN for Exchange ActiveSync
  • the external and/or internal FQDN for Autodiscover, Outlook Anywhere, Web Services
  • the external and/or internal FQDN for POP, IMAP
  • the external and/or internal FQDN for Unified Messaging Server
  • the external and/or internal FQDN for Hub Transport Server
  • the external and/or internal FQDN for Federation Sharing
Warning: The use of certificates containing an internal name (xxx.local, yyy.priv, host_name) or a domain not registered or not controlled by IANA is disapproved by the CA / Browsers Forum and is no longer accepted by any authority since November 1, 2015 (further information).

We recommend Multi-San certificates for this type of service to be secured, see our comparison table here: Comparison of server SSL certificates with SANs On Exchange 2010, the use of a Wildcard certificate is problematic for the activation of POP and IMAP services.

Once your needs are identified, follow the instructions below or use Microsoft new wizard in Exchange Management Console, at the Server Organization root, New Exchange Certificate.

1- Prepare your order

  • Make sure you are connected to your Exchange server as administrator.
  • Do not enter comma in the fields of your CSR (commas are interpreted as separators).
  • Only use standard characters (letters from A to Z, numbers, dash) in your websites' names. Do not use accent nor ! @ # $ % ^ * ( ) ~ ? > < & / \

2- Generate your CSR

You have two options: either go through the Microsoft Exchange server wizard, or through the Microsoft Exchange command prompt.

Microsoft Exchange Assistant

  • Open the Exchange admin center

  • Go to Servers > Certificates

  • Select the concerned server and click on Add

  • The New Exchange Certificate wizard appears. Make sure that "Create a certificate request ..." is selected and click on Next

  • Give a descriptive name to your certificate in "Friendly name of this certificate"

  • If you want a wildcard certificate (recommended for this type of server), check the box offering this service. In the "Root domain" field, enter your wildcard followed by the desired domain. For example * or *

  • If you only want a CN, click on Next

  • Choose the server where the certificate request file (CSR) will be saved

  • If you did not choose the Wildcard option previously, choose the desired CN and delete the other possible choices. If you want to add SANs, this will be done directly in our order form

  • Fill in the information about your organization

  • Finally enter the UNC path to save the file with the default .req extension (you can change the extension if you wish)

  • Click on Finish. Your pending CSR will be displayed in the certificates menu.

  • By going to the place of registration of your CSR, open it with any text editor and copy paste the entire file into our order form

Microsoft Exchange Command Prompt

  • Launch cmdlet New-ExchangeCertificate (in the powershell)

  • generate a CSR with the following command adapting to your organization's contact details. Put the main (official) name of your server in CN =
    First of all launch the following command line:
    $Data = New-ExchangeCertificate -GenerateRequest -SubjectName "C=FR, O=Mon entreprise SARL, L=Lyon, ST=Rhone," -privatekeyexportable:$true

    You can also use our tool to generate the command line: CSR Creation Assistance

    This command will store your CSR in a $Data variable

  • They, we export the CSR to a file using the following command:
    Set-Content -path "C:\" -Value $Data
  • It is in no way necessary (we do not recommend) to include the other SANs of the future certificate, you will do so on our web form

3- Finalize the order process

  • Place your request on our website using the appropriate link. See Access an order form

  • Copy/paste the CSR file content in the form.

In case of a renewal

Warning: if you wish to renew your certificate, we advise you not to use the "Renew" or "Renewal" function of the Exchange administration console (EMC). Indeed, this function is problematic since it generates CSR in binary format which is not compatible with the standard text format X509 used by most suppliers. See Renew a certificate with Exchange 2010

Useful links