We help IT Professionals succeed at work.

Certificates for Exchange 2010

Matthew Cioffi
Last Modified: 2017-04-28
Hello everyone,

I'm outside my comfort zone here with certificates.  It is not something I have had deal with very often.  So I may be asking some very basic questions confuddled by my lack of knowledge.

In Exchange server config there are several certs listed.  Some are self-signed TRUE and a couple FALSE.  That is confusing as we never purchased anything.  They should all be self-signed.  I tried to renew one of the certs but it kept asking for the REQ file.  I did not have one.  The instructions I found on TECHNET did not indicate how to generate this file.

I created a new cert than assigned all the services to it.  Outlook is still having issues.  Some iPhones seem to be having issues.  

So what I would like to do is start clean if possible.  Can I shutdown exchange for a short time, remove all certs and create new self-signed certs for internal and external connections?  3rd party for external will be expensive for us.  I have been told we need a wildcard, UCC cert, this will be 565 a year if we purchase it for 3 years.  That is more than the business owner wants to spend right now.  I would prefer getting a 3rd party cert but we have been using the original self signed ones since exchange was configured.

So I need help to make sure Exchange is configured properly, the certs work for mobile devices and for internal exchange.  Should we change the external DNS to something else and configure the phones differently?  I'm willing to make those changes if it will solve the bulk of our issues.

I understand this is probably a lot or work, but I need to get this all setup correctly so I can figure out if there another issues happening as well.
Watch Question

EE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
Unlock this solution and get a sample of our free trial.
(No credit card required)
Adam BrownSenior Systems Admin
Top Expert 2010

Certificates are actually pretty simple in Exchange. They are either assigned to services or they aren't. The certificate that is used by Exchange should have the IIS, SMTP, POP, and IMAP services assigned to it. Only one certificate can have all services assigned to it, and the others can be removed.

In regards to using a UCC/SAN certificate, this is not *required* for Exchange. You can use a certificate with a single name, you just have to change the way autodiscover's DNS records are configured. Specifically, you can change from using an autodiscover.domain.com record for Autodiscover to using a SRV record. https://acbrownit.com/2012/12/20/internal-dns-and-exchange-autodiscover/ explains why and how to use this. If you use a SRV record, it allows Autodiscover to look up the settings using mail.domain.com instead of autodiscover.domain.com (which is a default). This will result in significantly less work for you, because using a self-signed certificate will result in an error message every time users open Outlook, which can only be removed by installing the Self-Signed Certificate as a Trusted Root Authority certificate on each client computer that connects to Exchange (This is a lot of work, especially if people are allowed to connect using outlook on non-domain computers).
Matthew CioffiSenior DBA
Unlock this solution and get a sample of our free trial.
(No credit card required)
Matthew CioffiSenior DBA


-MAS was on the right track, I had additional issues that had to be resolved along the way.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.