How to Generate a CSR in Microsoft Exchange?

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
CSR Microsoft Exchange Servers

To obtain an SSL/TLS certificate for securing Microsoft Exchange services such as Outlook on the web, Autodiscover, Exchange Web Services, ActiveSync, and SMTP, you need a Certificate Signing Request (CSR).

The CSR includes the public key associated with the server and information about the server, which a Certificate Authority (CA) uses to create a certificate that can be trusted by clients.

When you generate the CSR in Microsoft Exchange, you can do so through the Exchange Admin Centre (EAC) or via the Exchange Management Shell (EMS). This guide describes both procedures in a straightforward manner that is easy to understand for administrators and technical staff.

Prerequisites

Before you start to generate your CSR, please ensure that you meet the following requirements:

  • You have Microsoft Exchange Server Version 2016, 2019, or Subscription Edition installed on a server on which a certificate has not already been issued.
  • You have permission from your organisation to manage Exchange certificates.
  • You have access to either the Exchange Admin Centre (EAC) or Exchange Management Shell (EMS).
  • You have a fully qualified domain name (FQDN) assigned to the Exchange services.
  • You have a UNC file path or local path where you want to save the CSR from your server.
  • You know which hostnames are required for SAN or wildcard certificates.
  • You are familiar with the basic administration of Microsoft Exchange.

Steps for Generating Certificate Signing Requests in Exchange Server

Method 1: Creating CSRs Using Exchange Admin Centre (EAC)

To create a CSR using Exchange Admin Centre (EAC), follow these steps:

  • Open the Exchange Admin Centre (EAC).
  • Go to Servers > Certificates.
  • Choose the Exchange server you wish to install the certificate on.
  • Click Add (+) to open the New Exchange Certificate Wizard.
  • Select Create a Request for a Certificate from a Certifying Authority.
  • Type a recognisable name for your certificate.
  • Choose the certificate type you wish to request:
    • Wildcard
    • Subject Alternative Name (SAN)
    • Single Host
  • Choose where you want to save the CSR on your Exchange server.
  • Enter any hostnames you want included in the certificate (or leave as default).
  • Decide which hostname to use as the Common Name (CN).
  • Enter your organization information:
    • Organization
    • Department
    • City / Locality
    • State / Province
    • Country / Region
  • Enter the UNC Path and Filename to save the CSR (for example:
  • Complete the wizard to generate your Certificate Request.

    • Upon completion, the CSR will show as a Pending Request in your Certificate list.

    Method 2: Using the Exchange Management Shell (EMS)

    If you prefer to use PowerShell or wish to have additional flexibility related to how the CSR will be encoded, key size, and number of SANs, use this method to generate your CSR.

    Base64-Encoded CSR Example:

    $txtrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest `

-SubjectName "C=US,CN=mail.contoso.com" `

-FriendlyName "Exchange SAN Cert" `

-DomainName autodiscover.contoso.com,mail.contoso.net `

-KeySize 2048

[System.IO.File]::WriteAllBytes("\\FileServer01\Data\ExchangeCert.req",

[System.Text.Encoding]::Unicode.GetBytes($txtrequest))

    DER-Encoded CSR Example:

    $binrequest = New-ExchangeCertificate -PrivateKeyExportable $True -GenerateRequest `

-BinaryEncoded `

-FriendlyName "Exchange SAN Cert" `

-SubjectName "C=US,CN=mail.contoso.com" `

-DomainName autodiscover.contoso.com,mail.contoso.net `

-KeySize 2048

[System.IO.File]::WriteAllBytes("\\FileServer01\Data\ExchangeCert.pfx",

$binrequest.FileData)

    Verify the CSR Creation

    To confirm that the CSR was created successfully:

    Using EAC:

    • Go to Servers > Certificates.
    • Select the Exchange server.
    • Verify the request appears with the status Pending request.

    Using EMS:

    Get-ExchangeCertificate |

where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} |

Format-List FriendlyName,Subject,CertificateDomains,Thumbprint

    Submit the CSR to a Certificate Authority

    • Open the CSR file in a text editor.
    • Copy everything between:

    —–BEGIN NEW CERTIFICATE REQUEST—–

    —–END NEW CERTIFICATE REQUEST—–

    • Insert your CSR inside your SSL Certificate order/validation form.

    If your CA asks for DER encoded, upload the entire CSR file instead.

    Next Step: How to Install an SSL Certificate on Microsoft Exchange Server?

    Conclusion

    Creating a CSR in Microsoft Exchange is simple, but it plays an important part in creating a secure Messaging Environment using SSL/TLS encryption.

    Using either the Exchange Admin Centre or the Exchange Management Shell, you are guided through or given advanced control over the CSR creation process, enabling a Trusted CA to verify your Server Identity.

    The issuance of your new certificate allows you to close a pending request and attach that certificate to the appropriate Exchange Services for both secure communication and protection of data while in transit.

Secure your Site Now

Enable HTTPs on your Website by Purchasing SSL, Generate CSR and Install on your Web Server.

Starts at Just $3.99/Yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.