Managing Certificates in Exchange Server 2010 (Part 2)

by [Published on 26 April 2011 / Last Updated on 26 April 2011]

This article covers how to manage certificates using Exchange Management Console.

If you would like to read the other parts in this article series please go to:


In the last article we saw some key points before ordering the certificates and now it’s time to put them to the test using the Exchange Management Console. 

Using Exchange Management Console

It may be a little bit hard to find the Exchange Certificate management spot in the Exchange Management Console the first time but as soon as you find it, then you will realize how simple it is to manage certificates using the console. Let’s follow these steps to create a new certificate as follows:

  1. Open Exchange Management Console
  2. Expand Microsoft Exchange On-Premises
  3. Click on Server Configuration (Figure 01) and when you click on a server on the right hand side, the Exchange Certificates tab will show up in the frame below. Now, in a single view you can see all certificates on that specific server (It is way easier than running Get-ExchangeCertificate on the Command Shell :))

Figure 01

  1. Since we are going to request a new certificate, we can either right-click on the server and then click on New Exchange Certificat or access the same option in the Toolbox Actions, as shown in Figure 02.

Figure 02

  1. In the Introduction page. Here we can define the Friendly name of our new certificate (It’s the same name you use – FriendlyName when you request on the Management Shell), after that click on Next.
  2. In the Domain Scope page. If you are going to use wildcard certificates then you need to enable the option Enable wild card certificate and use your own domain name (example: or * Let’s click on Next. In this article we are not going to use the wildcard but just the UC Certificate.
  3. In the Exchange Configuration page. (And the fun starts), basically the New Exchange Certificate Wizard will give us all possible services that can use certificates and we can define the names required for them. We just need to click on a specific section, for example Client Access Server (Outlook Web App) and select how it will be used, in our case we can enable both internally and externally using their respective names (Figure 03).

Figure 03

Here is the list with all areas where we can define a certificate in the Exchange Wizard:

  • Sharing
  • Client Access Server (Outlook Web App)
  • Client Access Server (Exchange ActiveSync)
  • Client Access Server (Web Services, Outlook Anywhere, and Autodiscover)
  • Client Access Server (POP/IMAP)
  • Unified Messaging Server
  • Hub Transport Server
  • Legacy Exchange Server

Bear in mind that during the Assign Services phase we have only a few services where we can associate the certificate which are SMTP, IIS, POP, and IMAP. So, in theory you can define a different name for a couple of different services, for example: ActiveSync, and OWA, then each name will be added to the same certificate, and finally that certificate will be associated to IIS. However we are following the best practices here and we are going to use a few names which simplify the process.

One last thing about this page, if something goes wrong with the naming process and you want to start from scratch just click on the Reset button. A dialog box will show up about the reset, just click on Yes and you are back to square one, as shown in Figure 04.

Figure 04

An important setting that we need to define is the Client Access Server (Web Services, Outlook Anywhere and Autodiscover) section. In our example we are using a single SMTP domain and for that reason we are going to use for Outlook Anywhere and Web Services and for the Autodiscover (by choosing that we are defining that the Autodiscover on the Internet will be using Long URL), as shown in Figure 05.

Figure 05

  1. In the Certificate Domains page. We will have a summary of all names that we defined in the previous page; in our article we will use just 3 names as shown in Figure 06.

Figure 06

  1. In the Organization and Location page. Let’s fill out the information using our organization info, and where the file request will be saved (take a note of that path and file name) and then click Next.
  2. In the Certificate Configuration page. A summary of the settings that we defined, just click on New to start the process.
  3. In the Completion page. We will have a summary containing all cmdlets used to generate the request and now finally we have the request good to go, as shown in Figure 07.
    Also the wizard gives you a step by step based on which certificate you requested and how to proceed to deploy the new request.

Figure 07

If we go back to Exchange Management Console and check the server certificates we will notice that the new request is there however it shows that it is pending and there are no services associated to it (Figure 08), we can also check the same information using our well-known Get-ExchangeCertificate using Exchange Management Shell (Figure 09)

Figure 08

Figure 09

Time to request the certificate on your Public Certification Authority (the same thing applies for an Internal CA). Basically, we can open the request using notepad and the content of the file will be similar to the one shown in Figure 10. Let’s select all content and then copy and paste into the Certificate that your public certification authority will provide to you. The result will be a file that will be sent to your e-mail or can be download from your Public Certification Authority page.

Figure 10

Now that we have requested, and got a new certificate, it’s time to install the file provided by your Certification Authority. Let’s save that file on the file system and then open Exchange Management Console and right-click on the Certificate entry that we started in the previous step. Let’s right-click on it and click Complete Pending Request as shown in Figure 11.

Figure 11

A complete pending request will start, on the initial page, let’s click on browse and find the certificate (it can be a .p7b or .cer extension) and click on Complete (Figure 12) and then Finish on the following page.

Figure 12

Now, we can check out the certificates on that server and we should be able to see that we have two valid certificates (Figure 13) however, our new certificate doesn’t have any service assigned to it which brings us to the next component of the certificate deployment.

Figure 13


It is way easier using Exchange 2010 console, isn’t it? This concludes our second article of this series, in the next article we will check how to manage additional tasks related to certificates such as, Import, Export and assigning certificates and we'll complete the series doing the same stuff using Exchange Management Shell. 

If you would like to read the other parts in this article series please go to:

See Also

The Author — Anderson Patricio

Anderson Patricio avatar

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at,, and Anderson (Portuguese).


Featured Links