• System requirements
• Getting started
• Automatic renewal
• Renewal management
• Validation problems
• Advanced usage
  • Examples
    • Microsoft Exchange
    • Apache
    • Remote Desktop Services
  • Global validation
  • Load balancing
  • Custom logging
  • Encryption
  • Private keys
  • Secrets
• Moving servers
• Upgrading
  • to v1.9.5
  • to v1.9.9
  • to v2.0.0
  • to v2.0.11
  • to v2.1.0
  • to v2.2.0

Microsoft Exchange

Choose the domains that you want to generate the certificate for. Note that Let’s Encrypt only issues certificates to public domains, that means no Active Directory server names or domain suffixes that are only known inside of your intranet can be used. You can specify a maximum of 100 domains in a certificate.

Assumptions made in this example:

• We want to generate the certificate for three domains
  • mail.example.com
  • webmail.example.com
  • autodiscover.example.com
• mail.example.com will be the common name, hence we put it first
• OWA is running in the Default Web Site of IIS with Site Id 1.
• We want to enable the certificate for SMTP and IMAP

Interactive

It’s not recommended to configure a certificate for Exchange in interactive mode, because the settings --acl-fullcontrol (essential for installation of some updates) is not accessible from the menu.

Unattended

Important note for Hybrid Exchange configurations (synced to Office 365): you should use 0 instead of 1 in the --scriptparameters, which translates to the LeaveOldExchangeCerts input of the sample script. See this issue for more details.

• Windows Certificate Store (default) wacs.exe --source manual --host mail.example.com,webmail.example.com,autodiscover.example.com --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.v2.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

• Central Certificate Store (load balancing etc.) wacs.exe --source manual --host mail.example.com,webmail.example.com,autodiscover.example.com --store centralssl,certificatestore --certificatestore My --acl-fullcontrol "network service,administrators" --centralsslstore "C:\Central SSL" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.v2.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

Verification

To make sure all is working properly, I’d encourage you to use the Microsoft’s Remote Connectivity Analyzer. The Autodiscover and ActiveSync Autodiscover tests are really useful for testing this out. With Outlook 2016 requiring the use of Autodiscover to connect to Exchange, verifying that this works properly is an important step is making sure your environment is setup correctly.

References

• Assign certificates to Exchange services
• Import certificates into Exchange
• Add MIME Type
• Namespace planning in Exchange 2016
• Exchange Server 2016 Client Access Namespace configuration
• Install Exchange 2016 in your lab