Exchange 2010 – Certificates for Client Access

How Certificates are Used

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are methods for securing communications between servers and between a client and a server. For a Microsoft Exchange Server 2010 Client Access server, SSL is used to help secure communications between the server and clients, whilst TLS is used to secure communications between Exchange Servers.  SSL and TLS require the use of digital certificates.

Types of Certificates

Certificates can be broken down into three types:

•Self Signed. When you install Exchange 2010, a self-signed certificate is automatically configured. A self-signed certificate is signed by the application that created it. A Self signed certificate will not be trusted by other computers.
•Windows Public Key Infrastructure (PKI).  Organisations can deploy their own PKI infrastructure.  If it is domain-joined then certificates issued can be trusted automatically by domain-joined computers.
•Trusted Third-Party. Third-party or commercial certificates are certificates that are generated by a third-party or commercial CA and then purchased for use on your network servers.  Microsoft maintain a list of recommended Unified Communications Certificate Partners at

Subject Alternate Names (SAN) Certificates

Most organisations will want to access their Exchange services using more than one name, to allow this, the certificate used will need to support these names. Wildcard certificates can be used to provide this, however Microsoft recommend the use of SAN certificates.

Planning Names

Any name that will be used to access the Exchange server when using SSL or TLS should be included on the certificate.  These should include:

•Internal Names of the servers, e.g. and
•The Autodiscover name, e.g.
•The name used for external client access, e.g. or

If you are upgrading your organisation from a previous version of Exchange, or support multiple domain names then additional names will be required on the SSL certificate.

Installing Certificates

The process for installing certificates is:

1.Request.  Use the Exchange Certificate Wizard to produce the request file with the correct names in. This request should then be presented to the chosen Certificate Authority who will issue the Certificate.
2.Complete. This can also be done using the Exchange Management Console and will install the issued certificate onto the server.
3.Assign Services.  As it is possible for an Exchange server to have more that one SSL/TLS certificate therefore we need to configure which certificate will be used by which service.
4.Export.  If you have more than one Client Access Server, or wish to use the same certificate on your HTTP proxy (e.g. Microsoft ISA server or Threat Management Gateway) then you will need to Export the Certificate and import it onto those servers.