Install Self Signed Exchange 2010 SSL certificate

For my example, my domains are…

Local domain: vcp.local
Outside domain:

#NETBIOS name of Client Access exchange server:        vcpsydex01
#Internal FQDN (AD name):        vcpsydex01.vcp.local
#External FQDN (Public name):
#Autodiscover name:  

Run the following command on the Client Access Server for generating the new Self-Signed SSL cert using the names listed above:

New-ExchangeCertificate -FriendlyName "SelfSigned Cert" -SubjectName "" -DomainName vcpsydex01,vcpsydex01.vcp.local,, -PrivateKeyExportable $True

Prior to Windows Vista SP1, the Windows RPC/HTTP client-side component required that the Subject Name (aka Common Name) on the certificate match the "Certificate Principal Name" configured for the Outlook Anywhere connection in the Outlook profile. Therefore, as a best practice, you should ensure that is listed as the Subject Name in your certificate unless you plan on changing the configuration which can be achieved by using the Set-OutlookProvider cmdlet with the -EXPR parameter as described in

Open IIS on the Exchange Server and tell it to use this certificate.

  1. Click on the Default Web Site


  2. Click Bindings on the right


  3. Select HTTPS, and choose edit


  4. Under SSL certificate, click the drop down list and choose your certificate that you created earlier.


  5. You need to setup the following external DNS entries 1. 2., these need to point to the external IP address of your Exchange CAS server.

    The next few steps are to install the certificate to the Clients.

  6. From Internet Explorer, navigate to the website of your OWA, Click on Certificate Error, then click View certificates.


  7. Click Install Certificate


  8. Click Next


  9. Select the second option


  10. Select the box Show Physical Stores, Under Trusted Root Certification Authorities, select Registry and click OK

    Please note, you will need to repeat this step again and choose Local Computer.



  11. Click Finish


  12. Select Yes. Close and re-open Internet Explorer.


  13. Close and restart Internet Explorer.

For more information, please refer to


  1. Almost all of these steps are unnecessary. You should stay in Powershell after you import the certificate and simply use the enable-exchangecertificate command.

    1. Agreed. You need to handle SSL certs for Exchange via Exchange – that is, the Exchange Management Shell or Console. There are a lot of virtual directories and other protocols (POP3, IMAP4, Opportunistic TLS for SMTP, etc.) that IIS knows nothing about. I’ve seen this approach cause problems down the road.

  2. Thanks for this. Everyone else’s guides make it imposibly complicated without a technical knowledge of Exchange but your guide was a dream to use after I screwed up the initial certificate. Much apreciated. Alex.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s