Get started Bring yourself up to speed with our introductory content.

Using Microsoft Exchange certificates requires planning

Exchange certificates typically require minimal management effort after they have been set up, and they offer a secure means of communication between different organizations.

Security and encryption should always be priorities for IT administrators. Microsoft Exchange certificates require...

little management effort while offering substantial protection for the messaging platform.

Exchange Server can use digital certificates to encrypt sensitive information as it moves over the network, such as user credentials. Administrators can keep organizations secure with minimal certificate maintenance; in most cases, certificates just require a renewal process after a couple of years. Organizations that use Microsoft Exchange certificates for advanced encryption or that have an in-house certificate authority (CA) will have to put in a little more effort to ensure smooth operation.

Despite the security benefits and relatively easy maintenance, some admins might still have questions regarding the use and configuration of Microsoft Exchange certificates. Follow this guide to tailor an encryption scheme that fits your organization's needs.

Are third-party certificates for Exchange necessary?

Administrators don't need to install third-party certificates for Exchange to run the messaging platform, but Exchange needs certificates to implement certain features.

Organizations can run their own CA within Active Directory, but admins must install a root certificate from that CA on all devices to get the certificate from the CA on the Exchange Server to work. The advantage of a third-party certificate is that devices have the root certificate and the related certificate chain installed as part of the operating system.

The Autodiscover service populates server information on user devices. Without a certificate for Exchange, Autodiscover won't work.

ActiveSync enables cellphones to receive messages via their mail apps. It's possible to get ActiveSync to work without a certificate on Exchange, but the alternative is to install a root certificate from the organization's CA on each phone. Sometimes, organizations use third-party mobile device management applications for this, but, generally, the organization needs a third-party certificate on Exchange Server and a root certificate on the phone for seamless operation.

The Autodiscover service populates server information on user devices. Without a certificate for Exchange, Autodiscover won't work.

Isn't SSL insecure? Shouldn't it be disabled on Exchange?

The Transport Layer Security (TLS) protocol sprouted from the Secure Sockets Layer (SSL) protocol. TLS is more secure, and administrators should disable the SSL protocol on Exchange 2016 servers.

The most current version of TLS is 1.2, which Microsoft supports on Exchange 2016.


How to add and configure a
certificate in Exchange Server 2016.

There are some issues with disabling older versions of TLS on Exchange. Organizations that plan to deactivate older versions of TLS should test thoroughly before making the switch.

The Exchange Preferred Architecture recommends the same configuration for all Exchange servers. This best practice extends to Microsoft Exchange certificates -- all Exchange servers in the organization should use the same certificate.

Do certificates provide email encryption?

Yes, Microsoft Exchange certificates enable the administrator to set TLS encryption.

TLS is the protocol that provides an encrypted tunnel between different organizations. Partner companies can use TLS as a secure means to send sensitive emails. TLS enables the encryption of all traffic between the two organizations over the internet in a seamless fashion.

There are many encryption types available with varying levels of work required to use them in Exchange. TLS is a straightforward choice for sending encrypted email to other organizations with just a certificate and a specific send connector.

Are special types of certificates needed for encryption?

With most vendors, a standard certificate supports a single namespace or a hierarchical URL used to access resources over the internet, such as web mail.

Because many Exchange 2016 deployments require two namespaces -- one for the Outlook on the web HTTPS service and one for Autodiscover -- the certificate must support multiple namespaces. Some Exchange versions can use nine or more namespaces, but that is more common in older versions of Exchange.

This was last published in March 2018

Dig Deeper on Exchange Server setup and troubleshooting

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

Aside from disabling SSL certificates, how have you tightened security in your Exchange Server system?
Cancel
"Exchange certificates typically require minimal management effort after they have been set up ..."

The management effort (and price) is exactly zero if you are using a Letsencrypt certificate - there is a PS script that automates the Exchange certificate installation and renewal, and you get a better security.
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close