In this article I’ll show you how to generating an SSL certificate request for a server named CLOUDEXC01 in the cloud.local domain, that is installed with the Client Access and Mailbox server roles. The server will be an internet-facing Client Access server, and so the following names will be included in the SSL certificate:
Open the Exchange Administration Center (EAC) in your web browser and navigate to Servers -> Certificates.
Click the “+” button to start the new Exchange certificate wizard. Choose Create a request for a certificate from a certification authority and click Next to continue.
Give the new certificate a friendly name and click Next to continue.
Do not choose to create a wildcard certificate. Although wildcards are supported for Exchange they are not supported for some interoperability scenarios with other server products. Click Next to continue.
Click Browse and choose an Exchange server to store the certificate request (this is the server that will hold the pending certificate request while you wait for the certificate to be issued).
In this example I am storing it on the server CLOUDEXC01. Click Next to continue.
Click the Edit button.
Enter the domain name that clients will be using to connect to each service, for example mail.cloudexc01.local for OWA.
A consolidated list of names is presented. Note that the server’s NetBIOS name (short name) will be present in this list, and other unwanted names may also appear, depending on how you completed the previous step. Remove any of the names that you do not want to be included in the SSL certificate.
In particular, a commercial certificate authority will not issue you a certificate for a server’s NetBIOS name, an IP address, or a namespace that you can’t verify that you own (eg a .local domain), so you must remove any of those names from your certificate request before you click Next to continue.
Enter your organization details and click Next to continue. For some certificate providers this information needs to match the information that is in the public WHOIS data for the domains that you are requesting a certificate for. If it does not match there may be some additional manual verification steps required before the certificate will be issued, which may slow down the process a little.
Enter a valid UNC path to store the certificate request file, and click Finish.
The pending certificate request is now visible in the Exchange Administration Center.
The certificate request file is also able to be found in the UNC path that was nominated.
How to Issue an SSL Certificate for Exchange Server 2016 from a Private Certificate Authority
When you are configuring SSL certificates for Exchange Server 2016 you may choose to issue the certificates from a private certificate authority rather than a commercial CA.
This is a common approach for non-production systems or those that will not be internet-facing and so will only receive connections from domain-joined clients that already trust the private CA.
When you have the certificate request file ready open a web browser and navigate to the web enrollment page for the private CA. Click on Request a Certificate.
Choose to submit an advanced certificate request.
Open your certificate request file in Notepad and copy the contents into the form, then change the certificate type to Web Server.
Click Submit when you are ready and the CA will begin processing the request. When it is complete you can click the link to download the certificate to your computer.
How to Complete a Pending Certificate Request in Exchange Server 2016
When you are configuring SSL certificates for Exchange Server 2016, after you have generated the certificate request and received the SSL certificate from the certificate authority, you then need to complete the pending certificate request.
In the Exchange Administration Center navigate to Servers -> Certificates. Choose the server you are configuring the SSL certificate for and highlight the certificate that has a status of “Pending request“.
With the pending request highlighted click on the link to Complete.
Enter the UNC path to the certificate that you were issued by the certificate authority, and then click OK.
When the pending request is completed and you return to the main EAC window you will see the status has changed to “Valid“.
News Source: Practical 365