What Kind of SSL is needed for Exchange 2016 (Single Domain)

dtssupport used Ask the Experts™
I am installing on OnPremise Exchange 2016 with one Domain, What type of SSL would be best suited so when you want to connect Mobile Devices/OWA by putting in the email address and password, it will go out and search for it and connect it to the device without setting it up manually?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Riaz Alexander AnsaryEnterprise Infrastructure Systems Engineer

On your exchange server  you will need to purchase a public trusted Certificate. when you first install an exchange server it generates a sel signed certificate and assigns it to the IIS, SMPT, POP and IMAP services that allows the server to be secure by default. but you do  need to purchase a Publicly trusted certificate from a trusted authority like godaddy depending on your Client access name space configuration.
you have 3 basic requirement for an SSL certificate in an exchange 2016 deployment.
Trusted Certificate authority:  your certificate needs to be from a trusted authority. this will enables clients to trust the certificate that previously would not be able to trust with you self signed default certificate.  
Correct Domain/Server Names: your certificate needs to contain all the correct domains, aliases and internal/External URLs that you have configured in your client access server under each of the virtual directories. one example in my case is mail.mydomain.com that we are using for all internal/external URLs and clients and virtual directories access exchange via that URLs
Certificate Validity period: each certificate has a validity period when it reaches expiration date you need to renew it.

  1. follow the following steps to install a certificate on your exchange server:
  2. generate a certificate request CSR  on your exchange server
  3. use the generated CSR to purchase your certificate from, lets say, GoDaddy
  4. complete pending certificate request on the exchange server once you have the certificate purchased.
  5. you can then export this certificate and import it into other exchange servers

follow these links to accomplish the above if you dont know how to
Exchange Engineer
Distinguished Expert 2018
It's recommended you get a cert from a public CA, and the cert should be a UCC SAN Cert. It's not recommended to use wildcard certs on Exchange. @Riaz Alexander Ansary did provide some good links on how to get he CSR and get the certs installed and services applied.
Hani M .S. Al-habshiContributor as IT Expert
Check SSL Certificates Help , UCC SAN certs


exchange server 2016 depend on autodiscover for connection anywhere , so you setup your  autodiscover.domain.com
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Yes, all I needed was a UCC for up to 5 Domain/Sub-Domains, thank you very much!!  That SSL worked fine.
timgreen7077Exchange Engineer
Distinguished Expert 2018

Great, glad it worked for you.


thank you for your help, sorry for the delay in getting back to you guys....it's been a crazy 2 weeks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial