Knowledge Base

How to generate a CSR and install an SSL certificate on Exchange Server

Updated on June 19, 2026

Overview

By the end of this guide, you will have generated a Certificate Signing Request (CSR) in the Exchange Admin Center (EAC), submitted it to a Certificate Authority (CA), installed the issued SSL certificate, assigned it to Exchange services, verified the installation, and optionally installed intermediate certificates. It covers adding Subject Alternative Names (SANs) to the request, assigning the certificate to services, verifying with the Exchange Management Shell, and importing intermediate certificates through the Microsoft Management Console (MMC).

1. Generate a CSR in the Exchange Admin Center (EAC)

Open a web browser and go to the Exchange Admin Center (EAC) at https://localhost/ecp or your Exchange server's admin URL.

Click Servers in the left menu, then select Certificates at the top.

Choose the Exchange server where you want to create the CSR.

Click the Add (+) icon, select "Create a request for a certificate from a certification authority," and click Next.

Enter a friendly name to identify the certificate and click Next.

Choose whether you want a wildcard certificate or a certificate for specific domains, and click Next.

Add all domain names — the Common Name and any Subject Alternative Names (SANs) — that you want to secure, and click Next.

Provide your organization and location details as prompted.

Choose a shared network path to save the CSR file (for example, \\Server\Share\exchange.csr) and click Finish.

2. Submit the CSR to the Certificate Authority (CA)

Send the generated CSR file to Sectigo.

After validation, Sectigo issues the SSL certificate.

3. Install the SSL certificate in the EAC

Return to Servers > Certificates in the EAC.

Select the Exchange server and find the request with status "Pending request."

Highlight the pending request and click Complete from the right menu.

Enter the path where the issued certificate file is saved (for example, \\Server\Share\yourdomain.crt) and click OK. The status changes to Valid when installation succeeds.

4. Assign services to the SSL certificate

In Certificates, select the newly installed certificate, click Edit, and open the Services tab.

Select the services that will use the certificate:

Simple Mail Transfer Protocol (SMTP) for mail transport

Internet Information Services (IIS) for Outlook Web Access and the Exchange Control Panel (ECP)

Internet Message Access Protocol (IMAP) and Post Office Protocol 3 (POP3), if applicable

Unified Messaging, if applicable

Save the changes.

5. Verify the certificate installation

Run the following Exchange Management Shell command to confirm the services are enabled:
- Get-ExchangeCertificate | fl FriendlyName, Subject, Status, Services, Thumbprint

Confirm the new certificate is enabled and assigned to the required services.

Test secure access in a browser over HTTPS (for example, https://mail.yourdomain.com/owa), and use an SSL checker such as SSL Labs to verify the certificate chain and expiration.

6. (Optional) Install intermediate certificates

If your Certificate Authority provides intermediate certificates, install them to complete the trust chain:
- Open the Microsoft Management Console (MMC) and add the Certificates (Local Computer) snap-in.
- Go to Intermediate Certification Authorities > Certificates.
- Right-click, select All Tasks > Import, and follow the wizard to import the intermediate certificate file.

7. Restart Exchange services

After installation and service assignment, restart Exchange services so the changes take effect:
- Restart-Service MSExchangeTransport
- Restart-Service IISAdmin