Zedan IT Blog

IT definitions, discussions and more

Certificates for Exchange 2010 using internal CA

If you need to install an internal certificate server to create certificates for Exchange 2010 , remember to add the SAN certificates support to the certificate server as it is needed by the exchange server and will solve the problem of disappearing certificates after importing it to Exchange 2010.

Install the Certificate Server.  In Windows 2008 from Server Manager > Roles > Add New Role.

On the next Screen (Before you begin) click Next, then on the (Server Roles) screen, select “Active Directory Certificate Services”

Click Next, Next.   On the “Select Role Services Screen”, Select “Certificate Authority” and “Certification Authority Web Enrollment”.

If your server doesn’t have IIS installed, it will tell you that it will install it for you.  Click “Add Required Role Services”,  Then click Next

On the Setup Type, select “Enterprise”, click Next

On the “Specify CA Type”, select “Root CA”, Click Next

On “Setup Private Key”,  Select “Create a new private key”, Click Next

On “Configure Cryptography for CA”, leave the default options, Click Next

On “Configure CA Name”,  Leave the defaults, Click Next

On the “Validity Period” screen, select how many years before the certificate is expired,  or you can leave the defaults “5 Years”,  Then Click Next

On the Certificate Database Location,  leave the defaults, then click Next.

On IIS installation, Click Next

On the Roles screen, you can add more services in IIS or leave the defaults and click Next

On the “Confirmation Page”,  Setup will warn you that the Domain name and setting can not be changed later after you install Certificate Authority.   If you do not intend to change your Domain or Settings later, Click Install.

Setup will begin installation

When installation is completed,  Click Close

Then you will need to add SAN certificates support to your Certificate Authority.   SAN stands for (Subject Alternate names).  So that the certificate can be for more than one server name, e.g. Mail.company.com,  Exch.company.com,  Exchange01, …….

To ADD SAN support, Open the Command Prompt, then paste the following command:

Certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2

Then Restart the Certificate Service by issuing the following two commands in the command prompt:

net stop certsvc
net start certsvc


Now go to your Exchange Server, Open the Management Console then from Server Configuration, Click on “New Exchange Certificate”

Enter A name for your Certificate, then click Next

Leave the ” Enable Wildcard Certificate ” un-checked, then click Next

Select the services that exchange will handle.  This is to determine the names that will be added to the certificate

Then it will display the domain names that will be added to the certificate.  In this example I assumes that the following names for the Exchange server:

Server Name: EXCHANGE01

Internet name:  mail.company.com

Intranet name: Exchange01.company.com

You can add additional domain names as well by clicking on the green Plus sign (Add…).  When finished, click Next.

Enter Organization and Location Data.  Also Specify where the Certificate Request will be saved (Here in C:\)

Click Next,  Then Click New

Exchange will start creating the Certificate Request

When Completed , Click Finish

Open CA web page using an Internet Browser,   For Example   http://Localhost/CertSrv     if you are opening from the CA itself,  Then click on ” Request a Certificate ” Link

Then Click on Advanced Certificate Request

Then Click on ” Submit a Certificate Request ”

Open the Certificate Request file you created in Exchange With Notepad (in our example here was C:\Cert1.req)  Select all Text

Paste the text into the webpage, and select ” Web Server ” from th Certificate Template list, Then Click Submit.

Select Base 64 Encoded,  then click on Download Certificate Chain.  Save the certificate to your loacl Disk.

On The Exchange Server:

Click Start, type: MMC, Then press Enter

An Empty Console opens,  From File Menu select: Add – Remove Snap-in

Add Certificates Snap-in, Select Computer Account Select Local Computer, then Click Finish, Then Click OK

Right-Click on the Certificate in the Trusted Root, Then Import the Created Certificate which we downloaded from the CA

From the Exchange Management Console, Click Server Configuration, the Exchange certificate we requested, then Click on Complete Pending Request

Select the Certificate we downloaded from the CA, then Click Complete

Right click on the Certificate, select Assign services to certificate


Importing Certificates into Computers,   For computers in your domain, follow these steps:

On your domain controller, start Group Policy Management Console (Start menu, type ” gpmc.msc “, Press Enter).

Either create a new group policy or use the Default Domain Policy to deploy it to every system.

Right-click the policy of your choice and select Edit… go to Computer Configuration > Policies  > Windows Settings > Security Settings > Public Key Policies

Right-click Trusted Root Certification Authorities, and choose Import…

Use the import wizard browse over to your root certificate we have created earlier.


If have computers not members in the domain, you can import the certificates manually, for Windows 7:

Open Certificate Manager by clicking the Start button , type ” certmgr.msc ” into the Search box, and then pressing ENTER.

Trusted Root Certification Authorities > Right Click Certificates Folder,  Select Import.

Import the Certificate we have created earlier.


I hope I could gave you a brief idea on setting up internal CA to issue certificates for your Exchange server.

9 responses to “Certificates for Exchange 2010 using internal CA

  1. Jon Redwood 08/01/2014 at 4:48 PM

    Why do you import it into the trusted root certificate store? It will be trusted anyway as the Domain CA root certificate should already be in there!

  2. Alexey 25/04/2014 at 7:26 AM

    Thank you, very useful information. It helps me to install and configure cert for my MS exchange.

  3. HappyDays 07/07/2014 at 1:35 AM

    Thank you. Worked like a charm. Choosing “web server” as a template and “download certificate chain” were the pieces I was missing.

  4. Pingback: Mail Server | Nkhuong90.wordpress.com

  5. kanta prasad 06/12/2015 at 4:02 PM

    Super Efforts and even very nicely presented.

  6. hyperlite1215 24/08/2016 at 4:13 PM

    Gold! Every post should be laid out this nice.

  7. Jerome 20/09/2016 at 10:42 PM

    Great Post!!! If you are using Windows 2008 R2. You must go into IIS, CertSRV, Authentication and disable Anonymous or else the advanced certificate request will not come up.

Leave a Reply to kanta prasad Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: