Create an Exchange Server certificate request for a certification authority

Creating a certificate request is the first step in installing a new certificate on an Exchange server to configure Transport Layer Security (TLS) encryption for one or more Exchange services. You use a certificate request (also known as a certificate signing request or CSR) to obtain a certificate from a certification authority (CA). The procedures are the same for obtaining certificates from an internal CA (for example, Active Directory Certificate Services), or from a commercial CA. After you create the certificate request, you send the results to the CA, and the CA uses the information to issue the actual certificate, which you install later.

You can create certificate requests in the Exchange admin center (EAC) or in the Exchange Management Shell. The New Exchange certificate wizard in the EAC can assist you in selecting the host names that are required in the certificate.

What do you need to know before you begin?

  • You need to be assigned permissions before you can perform this procedure or procedures. For more information on the permissions you need, see the "Client Access services security" entry in the Clients and mobile devices permissions article.

  • Estimated time to complete: 5 minutes to complete the new certificate request. However, more time is required before the request leads to issuance of a certificate. For more information, see Next steps.

  • You need to plan carefully to choose the type of certificate that you want, and the host names that are required in the certificate. For more information, see Digital certificates and encryption in Exchange Server.

  • Verify the certificate request requirements of the CA. Exchange generates a PKCS #10 request (.req) file that uses Base64 (default) or Distinguished Encoding Rules (DER) encoding, with an RSA public key that's 1024, 2048 (default), or 4096 bits. Encoding and public key options are only available in the Exchange Management Shell. For more information, see New-ExchangeCertificate.

  • In the EAC, you need to store the certificate request file on a UNC path (\\<Server>\<Share>\ or \\<LocalServerName>\c$\). In the Exchange Management Shell, you can specify a local path.

  • To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.

  • For more information about keyboard shortcuts that may apply to the procedures in this article, see Keyboard shortcuts in the Exchange admin center.

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

Use the EAC to create a new certificate request

Note

ECP certificate request has been deprecated in Exchange 2019 CU12 and higher and in Exchange 2016 CU23 and higher.

  1. Open the EAC and navigate to Servers > Certificates.

  2. In the Select server drop-down list, select the Exchange server where you want to install the certificate, and then select Add Add icon..

The New Exchange certificate wizard opens.

  1. On the This wizard will create a new certificate or a certificate request file page, verify that Create a request for a certificate from a certification authority is selected, and then select Next.

    Note

    To create a new self-signed certificate, see Create a new Exchange Server self-signed certificate.

  2. On the Friendly name for this certificate page, enter a descriptive name for the certificate, and then select Next.

  3. On the Request a wildcard certificate page, make one of the following choices:

    • If you want a wildcard certificate: Select Request a wildcard certificate, and enter the wildcard character (*) and the domain in the Root domain box, for example, *.contoso.com or *.eu.contoso.com. When you're finished, select Next.
    • If you want a subject alternative name (SAN) certificate: Make no selections on this page, and select Next.
    • If you want a certificate for a single host: Make no selections on this page, and select Next.
  4. In the Store certificate request on this server page, select Browse and select the Exchange server where you want to store the certificate request (where you want to install the certificate). Then, select OK and Next.

    Note

    Steps 7 and 8 only apply to a request for a SAN certificate, or a certificate for a single host. If you selected Request a wildcard certificate, skip to Step 9.

The Specify the domains you want to be included in your certificate page appears. This page is basically a worksheet that helps you to determine the internal and external host names that are required in the certificate for the following Exchange services:

  • Outlook on the web
  • Offline address book generation (OAB)
  • Exchange Web Services
  • Exchange ActiveSync
  • Autodiscover
  • POP
  • IMAP
  • Outlook Anywhere
  1. Enter a value for each service based on the location (internal or external). Then, the wizard determines the host names that are required in the certificate, and the information is displayed on the next page.

  2. If you want to modify a value for a service, select Edit (Edit icon.) and enter the host name value that you want to use (or delete the value). When you're finished, select Next.

    Note

    If you've already determined the host name values that you need in the certificate, you don't need to fill out the information on this page. Instead, select Next to manually enter the host names on the next page.

The Based on your selections, the following domains will be included in your certificate page appears. This page lists the host names that will be included in the certificate request. The host name that's used in the certificate's Subject box is bold, which can be hard to see if that host name is selected.

  1. Verify the host name entries that are required in the certificate by referring to the selections that you made on the previous page.

    If you don't want to consider this list of host names for inclusion in the certificate request, go to Step 10.

  2. Ignore the values from the last page and add, edit, or remove host name values by performing the following steps: a. If you want a SAN certificate: To select the host name for the certificate's Subject field, select the value and select Set as common name (check mark). The value should now appear bold. b. If you want a certificate for a single host name: Select the other values one at a time and select Remove (Remove icon.).

    Note

    You can't delete the bold host name value that will be used for the certificate's Subject box. First, you need to select or add a different host name, and then check the Set as common name box. The changes that you make on this page might be lost if you select the Back button.

  3. On the Specify information about your organization page, enter the following values:

  • Organization name
  • Department name
  • City/Locality
  • State/Province
  • Country/Region name

Note

These X.500 values are included in the certificate's Subject box. Although a value is required in every field before you can proceed, the CA might not care about certain fields (for example, Department name), while other fields are important (for example, Country/Region name and Organization name). Check the Subject box requirements of your CA.

  1. When you're finished, select Next.

  2. On the Save the certificate request to the following file page, enter the UNC path and filename for the certificate request, for example, \\FileServer01\Data\ExchCertRequest.req. When you're finished, select Finish.

The certificate request appears in the list of Exchange certificates with a status value of Pending. For more information on the next steps, see Next steps section.

Use the Exchange Management Shell to create a new certificate request

To create a new request for a wildcard certificate, a SAN certificate, or a certificate for a single host, use the following syntax:

  • If you need to send the content of the certificate request file to the CA, use the following syntax to create a Base64 encoded request file:

    $txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest [-FriendlyName <DescriptiveName>] -SubjectName C=<CountryOrRegion>[,S=<StateOrProvince>,L=<LocalityOrCity>,O=<Organization>,OU=<Department>],CN=<HostNameOrFQDN> [-DomainName <Host1>,<Host2>...] [-KeySize <1024 | 2048 | 4096>] [-Server <ServerIdentity>]
    [System.IO.File]::WriteAllBytes('<FilePathOrUNCPath>\<FileName>.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))
    
  • If you need to send the certificate request file to the CA, use the following syntax to create a DER encoded request file:

    $binrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -BinaryEncoded [-FriendlyName <DescriptiveName>] -SubjectName C=<CountryOrRegion>[,S=<StateOrProvince>,L=<LocalityOrCity>,O=<Organization>,OU=<Department>],CN=<HostNameOrFQDN> [-DomainName <Host1>,<Host2>...] [-KeySize <1024 | 2048 | 4096>] [-Server <ServerIdentity>]
    [System.IO.File]::WriteAllBytes('<FilePathOrUNCPath>\<FileName>.pfx', $binrequest.FileData)
    

Note

The only required part of the X.500 SubjectName parameter value (the certificate's Subject box) to run the command is CN=<HostNameOrFQDN>. But, you should always include the C=<CountryOrRegion> value. Otherwise, you might not be able to renew the certificate. Check the Subject box requirements of your CA. If you don't use the KeySize parameter, the certificate request has a 2048-bit RSA public key. If you don't use the Server parameter, the command is run on the local Exchange server.

For detailed syntax and parameter information, see New-ExchangeCertificate.

Wildcard certificate request

These examples create certificate request files for wildcard certificates with the following properties:

  • SubjectName: *.contoso.com in the United States, which requires the value C=US,CN=*.contoso.com.
  • RequestFile: \\FileServer01\Data\Contoso Wildcard Cert.<cer or pfx>
  • FriendlyName: Contoso.com Wildcard Cert

To create a Base64 encoded request file for the wildcard certificate, run the following command:

$txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Contoso.com Wildcard Cert" -SubjectName "C=US,CN=*.contoso.com"
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\Contoso Wildcard Cert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

To create a DER encoded request file for the wildcard certificate, run the following command:

$binrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -BinaryEncoded -FriendlyName "Contoso.com Wildcard Cert" -SubjectName "C=US,CN=*.contoso.com"
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\Contoso Wildcard Cert.pfx', $binrequest.FileData)

SAN certificate request

These examples create certificate request files for SAN certificates with the following properties:

  • SubjectName: mail.contoso.com in the United States, which requires the value C=US,CN=mail.contoso.com. This CN value is automatically included in the DomainName parameter (the Subject Alternative Name field).
  • Other Subject Alternative Name field values:
    • autodiscover.contoso.com
    • legacy.contoso.com
    • mail.contoso.net
    • autodiscover.contoso.net
    • legacy.contoso.net
  • RequestFile: \\FileServer01\Data\Contoso SAN Cert.<cer or pfx>
  • FriendlyName: Contoso.com SAN Cert
  • DomainName: Unquoted comma-separated list of domains

To create a Base64 encoded request file for the SAN certificate, run the following command:

$txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Contoso.com SAN Cert" -SubjectName "C=US,CN=mail.contoso.com" -DomainName autodiscover.contoso.com,legacy.contoso.com,mail.contoso.net,autodiscover.contoso.net,legacy.contoso.net
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\Contoso SAN Cert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

To create a DER encoded request file for the SAN certificate, run the following command:

$binrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -BinaryEncoded -FriendlyName "Contoso.com SAN Cert" -SubjectName "C=US,CN=mail.contoso.com" -DomainName autodiscover.contoso.com,legacy.contoso.com,mail.contoso.net,autodiscover.contoso.net,legacy.contoso.net
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\Contoso SAN Cert.pfx', $binrequest.FileData)

Single subject certificate request

These examples create certificate request files for single subject certificates with the following properties:

  • SubjectName: mail.contoso.com in the United States, which requires the value C=US,CN=mail.contoso.com.
  • RequestFile: \\FileServer01\Data\Mail.contoso.com Cert.<cer or pfx>
  • FriendlyName: Mail.contoso.com Cert

To create a Base64 encoded request file for the single subject certificate, run the following command:

$txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -FriendlyName "Mail.contoso.com Cert" -SubjectName "C=US,CN=mail.contoso.com"
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\Mail.contoso.com Cert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

To create a DER encoded request file for the single subject certificate, run the following command:

$binrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest -BinaryEncoded -FriendlyName "Mail.contoso.com Cert" -SubjectName "C=US,CN=mail.contoso.com"
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\Mail.contoso.com Cert.pfx', $binrequest.FileData)

How do you know these commands worked?

To verify that you've successfully created a new certificate request, perform either of the following steps:

  • In the EAC at Servers > Certificates, verify whether the server where you stored the certificate request is selected. The request should be in the list of certificates with the Status parameter's value set as Pending request.

  • In the Exchange Management Shell on the server where you stored the certificate request, run the following command:

    Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint
    

Next steps

The content of a Base64 encoded certificate request file looks like the example described below:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEBjCCAu4CAQAwYzEWMBQGA1UEAwwNKi5jb250b3NvLmNvbTELMAkGA1UECwwC
SVQxEDAOBgNVBAoMB0NvbnRvc28xEDAOBgNVBAcMB1NlYXR0bGUxCzAJBgNVBAgM
AldBMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANZFK6JxcQMEBitJcEC82vCvr6251o28CMmrpIkl7Z0MnkCrU+BMTLBuZnIgaLvb
jlzORvH6DP/dbyR8gQEAHVrXVWdr3AJIRbqQXWwN++BM5b2O6lIrA8w41XwGNu6r
dtddi+POf8UYwot7PXw6wDsbKaTs1ePVK/0XdemdJCFIXNfCT8LY4p/KryQAyquo
XDa+Acbx7TRxG2kXNAxgPGve+mvyCyizbugXAJIz4nugJ2k/X1kGYDc7f/b80tCv
bPTcGCr09ScsbKmsQcqJ7UxiX2tScpO5AQxNxJHGL+bA6+96FBjPnFZaqPbFgI74
N6hmZdSEDgQlaGfLEGjZBGMCAwEAAaCCAVwwGgYKKwYBBAGCNw0CAzEMFgo2LjEu
NzYwMS4yMEwGCSqGSIb3DQEJDjE/MD0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFNRw1o74zcuGyky33rl7WChgdQrlMHIGCisGAQQBgjcN
AgIxZDBiAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEA
bgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkA
ZABlAHIDAQAwfAYJKwYBBAGCNxUUMW8wbQIBBQwrRVhIUi0zMjQ4LkVYSFItMzI0
OGRvbS5leHRlc3QubWljcm9zb2Z0LmNvbQwXRVhIUi0zMjQ4RE9NXEVYSFItMzI0
OCQMIk1pY3Jvc29mdC5FeGNoYW5nZS5TZXJ2aWNlSG9zdC5leGUwDQYJKoZIhvcN
AQEFBQADggEBAL63qVj1m2mBz53+nilnlFweOlcltXoxaF28+Kf0hrJVbH5a2Jme
tS0iKU8YXU3mZ3NnWco+5ea024f9awMIzg4z/heE5yEUFf9UtwRGSOc84r2QexPa
zT/rveTTcbliKU0EFhporl3C2uuBCdAewyLj+/k0hABH3djnmMONG6NyC5f+wMun
kkH5naiSLdsTYbq8jkWYuSqL0qdhtmauqWeAPpA0hKDkQk5eDWpOGx3mgxiaQumo
Rqw6dmQ+o8TC+lE3Tvgdfv47A84X8H7Y9h8liS4h0OfbsgEQb8LcM0YHD6yvPgcD
JCmt8A7JFHF9u6mghjiKlXaZ/i+2l10Wsu8=
-----END NEW CERTIFICATE REQUEST-----

You need to send this information to the CA. How you send it depends on the CA, but typically, you send the contents of the file in an email message or in the certificate request form on the CA's website.

If the CA requires a binary certificate request that's encoded by DER (you used the New-ExchangeCertificate cmdlet with the BinaryEncoded switch), you typically send the whole certificate request file to the CA.

After you receive the certificate from the CA, you need to complete the pending certificate request. For more information, see Complete a pending Exchange Server certificate request.