Using a Microsoft Exchange Server-Generated Certificate

Q. Can I use the Microsoft Exchange Server-generated certificate for my Exchange Server 2007 implementation that is installed on the Exchange default Web site?

A. You can use the Secure Sockets Layer (SSL) certificate generated by Exchange 2007 if you intend to only access Exchange features internally. However, if you're going to use any Internet-facing features such as ActiveSync, Outlook Web Access (OWA) or Outlook Anywhere (RPC over HTTPS), you need to replace the certificate with an Internet Trusted certificate that supports a Subject Alternative Name, which is the name of the site as it will be viewed from the Internet as opposed to the server's internal network name. With this approach, instead of having to use multiple certificates for the different Web sites and names, both internal and external, you can use one certificate that supports all the various DNS names by which a site might be referenced (e.g.,,, Outlook Anywhere and ActiveSync require a trusted SSL certificate, which means that it must be issued by a trusted Certificate Authority (CA) and not self-signed by the Exchange server. Subject Alternative Names are fairly new, and only certain CAs support them. Therefore, you might need to use a new certificate-issuing company for your Exchange 2007 needs. If you try to use a certificate that doesn't support the Subject Alternative Names feature, with Outlook Anywhere and ActiveSync then your Outlook client will generate a warning that the SSL certificate doesn't match the name of the site it's being used for.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.