Home » Exchange 2013

How to Install Self-Signed Multiple Domain Certificate (UCC) in Exchange 2013

– Distribute the Certificate to Domain Clients using Group Policy

– Publish the Certificate and Install It on Remote Clients

One of the first tasks that you need to perform on a new Exchange 2013 CAS or multirole server is to install and assign a new certificate to the available services. The out of the box self-signed certificate is provided simply as a temporary solution and has the following limitations:
– It is not trusted by domain and remote clients
– The Common Name (CN) of the certificate is the short/NetBIOS name of Exchange server
– Only Exchange internal Fully Qualified Domain name (FQDN) is included as a Subject Alternative name (SAN)
– The autodiscover and Exchange Public names are not included in the SAN field

As a result, we get the following problems:
– Internal Outlook clients and internal/remote OWA users get a security warning.
– Outlook Anywhere (OA) is not working. Even if you manually configure OA profile and add the certificate to the local Trusted Root Certificate authorities, Exchange public FQDN is not included in the certificate and Outlook Anywhere fails.

The recommended approach is to install a UCC from a trusted certificate Authority. There are cases when you might choose to use a different approach – replace the out of the box self-signed certificate with a new self-signed certificate that uses Exchange Public name as a Common Name (CN) and includes the Autodiscover FQDN. Typical examples are:
– Implementing a test environment with Exchange 2013.
– Limited number of remote users.
– You simply need more time, until you choose a suitable Certificate provider and buy a commercial UCC.

As you can see in our Screencast, generating and installing a new self-signed Multiple Domain Exchange certificate that fits your needs is extremely easy and straight forward. Moreover, creating a Group Policy to distribute the certificate to Domain Clients, and publishing the certificate, so remote clients can install and use it with OWA and Outlook Anywhere, takes literally a couple of minutes.

Click to play 1 video
Step 1 We discuss the limitations of the default self-signed certificate in Exchange 2013 and the problems it presents to domain and remote clients. Then we demonstrate how to generate and install a new self-signed UCC that includes the names we need.

Click to play 2 video
Step 2 Next, we export the certificate with its public key and distribute it to domain clients with a Group Policy. After checking the result with RSOP, we assign the new certificate to all Exchange services and replace the original self-signed certificate.

Click to play 3 video
Step 3 In the last step, we publish the certificate with its public key. Then we demonstrate how to download and install it on remote clients. Finally, we test the certificate with OWA and Outlook Anywhere.

NetoMeter Screencasts

Step-by-Step Video Tutorials

Useful Links

netometer logo

Edtior's Picks

Latest Articles

©2024 NetoMeter All Right Reserved.