Type | Description | Advantages | Disadvantages |
---|---|---|---|
Self-signed certificate | The certificate is signed by the application that created it. | Cost (free). | The certificate isn't automatically trusted by client computers and mobile devices. The certificate needs to be manually added to the trusted root certificate store on all client computers and devices, but not all mobile devices allow changes to the trusted root certificate store. Not all services work with self-signed certificates. Difficult to establish an infrastructure for certificate lifecycle management. For example, self-signed certificates can't be revoked. |
Certificate issued by an internal CA | The certificate is issued by a public key infrastructure (PKI) in your organization. An example is Active Directory Certificate Services (AD CS). For more information, see Active Directory Certificate Services Overview. | Allows organizations to issue their own certificates. Less expensive than certificates from a commercial CA. | Increased complexity to deploy and maintain the PKI. The certificate isn't automatically trusted by client computers and mobile devices. The certificate needs to be manually added to the trusted root certificate store on all client computers and devices, but not all mobile devices allow changes to the trusted root certificate store. |
Certificate issued by a commercial CA | The certificate is purchased from a trusted commercial CA. | Simplified certificate deployment, because all clients, devices, and servers automatically trust the certificates. | Cost. You need to plan ahead to minimize the number of certificates that are required. |
Method | Description | Advantages | Disadvantages |
---|---|---|---|
Certificate subject match | The certificate's Subject field contains the common name (CN) of the host. For example, the certificate that's issued to www.contoso.com can be used for the web site https://www.contoso.com. | Compatible with all clients, devices, and services. Compartmentalization. Revoking the certificate for a host doesn't affect other hosts. | Number of certificates required. You can only use the certificate for the specified host. For example, you can't use the www.contoso.com certificate for ftp.contoso.com, even when the services are installed on the same server. Complexity. On a web server, each certificate requires its own IP address binding. |
Certificate subject alternative name (SAN) match | In addition to the Subject field, the certificate's Subject Alternative Name field contains a list of multiple host names. For example: • www.contoso.com • ftp.contoso.com • ftp.eu.fabirkam.net | Convenience. You can use the same certificate for multiple hosts in multiple, separate domains. Most clients, devices, and services support SAN certificates. Auditing and security. You know exactly which hosts are capable of using the SAN certificate. | More planning required. You need to provide the list of hosts when you create the certificate. Lack of compartmentalization. You can't selectively revoke certificates for some of the specified hosts without affecting all of the hosts in the certificate. |
Wildcard certificate match | The certificate's Subject field contains the common name as the wildcard character (*) plus a single domain or subdomain. For example, *.contoso.com or *.eu.contoso.com. The *.contoso.com wildcard certificate can be used for: • www.contoso.com • ftp.contoso.com • mail.contoso.com | Flexibility. You don't need to provide a list of hosts when you request the certificate, and you can use the certificate on any number of hosts that you may need in the future. | You can't use wildcard certificates with other top-level domains (TLDs). For example, you can't use the *.contoso.com wildcard certificate for *.contoso.net hosts. You can only use wildcard certificates for host names at the level of the wildcard. For example, you can't use the *.contoso.com certificate for www.eu.contoso.com. Or, you can't use the *.eu.contoso.com certificate for www.uk.eu.contoso.com. Older clients, devices, applications, or services might not support wildcard certificates. Wildcards aren't available with Extended Validation (EV) certificates. Careful auditing and control is required. If the wildcard certificate is compromised, it affects every host in the specified domain. |
Name | Comments |
---|---|
Microsoft Exchange | This Exchange self-signed certificate has the following capabilities: • The certificate is automatically trusted by all other Exchange servers in the organization. This includes any Edge Transport servers subscribed to the Exchange organization. • The certificate is automatically enabled for all Exchange services except Unified Messaging, and is used to encrypt internal communication between Exchange servers, Exchange services on the same computer, and client connections that are proxied from the Client Access services to the backend services on Mailbox servers. (Note: UM is not available on Exchange 2019.) • The certificate is automatically enabled for inbound connections from external SMTP messaging servers, and outbound connections to external SMTP messaging servers. This default configuration allows Exchange to provide opportunistic TLS on all inbound and outbound SMTP connections. Exchange attempts to encrypt the SMTP session with an external messaging server, but if the external server doesn't support TLS encryption, the session is unencrypted. • The certificate doesn't provide encrypted communication with internal or external clients. Clients and servers don't trust the Exchange self-signed certificate, because the certificate isn't defined in their trusted root certification stores. |
Microsoft Exchange Server Auth Certificate | This Exchange self-signed certificate is used for server-to-server authentication and integration by using OAuth. For more information, see Plan Exchange Server integration with SharePoint and Skype for Business. |
WMSVC | This Windows self-signed certificate is used by the Web Management service in IIS to enable remote management of the web server and its associated web sites and applications. If you remove this certificate, the Web Management service will fail to start if no valid certificate is selected. Having the service in this state can prevent you from installing Exchange updates, or uninstalling Exchange from the server. For instructions on how to correct this issue, see Event ID 1007 - IIS Web Management Service Authentication |
Service | Description |
---|---|
IIS (HTTP) | By default, the following services are offered under the default website in the Client Access (frontend) services on a Mailbox server, and are used by clients to connect to Exchange: • Autodiscover • Exchange ActiveSync • Exchange admin center • Exchange Web Services • Offline address book (OAB) distribution • Outlook Anywhere (RPC over HTTP) • Outlook MAPI over HTTP • Outlook on the web • Remote PowerShell* Because you can only associate a single certificate with a website, all the DNS names that clients use to connect to these services need to be included in the certificate. You can accomplish this by using a SAN certificate or a wildcard certificate. |
POP or IMAP | The certificates that are used for POP or IMAP can be different from the certificate that's used for IIS. However, to simplify administration, we recommend that you also include the host names that are used for POP or IMAP in your IIS certificate, and use the same certificate for all of these services. |
SMTP | SMTP connections from clients or messaging servers are accepted by one or more Receive connectors that are configured in the Front End Transport service on the Exchange server. For more information, see Receive connectors. To require TLS encryption for SMTP connections, you can use a separate certificate for each Receive connector. The certificate must include the DNS name that's used by the SMTP clients or servers to connect to the Receive connector. To simplify certificate management, consider including all DNS names for which you have to support TLS traffic in a single certificate. To require mutual TLS authentication, where the SMTP connections between the source and destination servers are both encrypted and authenticated, see Domain Security. |
Unified Messaging (UM) | For more information, see Deploying Certificates for UM. Note: UM is not available in Exchange 2019. |
Hybrid deployment with Microsoft Office 365 | For more information, see Certificate Requirements for Hybrid Deployments. |
Secure/Multipurpose Internet Mail Extensions (S/MIME) | For more information, see S/MIME for message signing and encryption. |
Microsoft Exchange | Microsoft Exchange Server Auth Certificate | WMSVC | |
---|---|---|---|
Subject | CN=<ServerName> (for example, CN=Mailbox01 ) | CN=Microsoft Exchange Server Auth Certificate | CN=WMSvc-<ServerName> (for example, CN=WMSvc-Mailbox01 ) |
Subject Alternative Names (CertificateDomains) | • <ServerName> (for example, Mailbox01) • <ServerFQDN> (for example, Mailbox01.contoso.com) | none | WMSvc-<ServerName> (for example, WMSvc-Mailbox01 ) |
Has private key (HasPrivateKey) | Yes (True) | Yes (True) | Yes (True) |
PrivateKeyExportable* | False | True | True |
EnhancedKeyUsageList* | Server Authentication (1.3.6.1.5.5.7.3.1) | Server Authentication (1.3.6.1.5.5.7.3.1) | Server Authentication (1.3.6.1.5.5.7.3.1) |
IISServices* | IIS://<ServerName>/W3SVC/1, IIS://<ServerName>/W3SVC/2 (for example, IIS://Mailbox01/W3SVC/1, IIS://Mailbox01/W3SVC/2 ) | none | none |
IsSelfSigned | True | True | True |
Issuer | CN=<ServerName> (for example, CN=Mailbox01 ) | CN=Microsoft Exchange Server Auth Certificate | CN=WMSvc-<ServerName> (for example, CN=WMSvc-Mailbox01 ) |
NotBefore | The date/time that Exchange was installed. | The date/time that Exchange was installed. | The date/time that the IIS Web Manager service was installed. |
Expires on (NotAfter) | 5 years after NotBefore . | 5 years after NotBefore . | 10 years after NotBefore . |
Public key size (PublicKeySize) | 2048 | 2048 | 2048 |
RootCAType | Registry | None | Registry |
Services | IMAP, POP, IIS, SMTP | SMTP | None |
Get-ExchangeCertificate -Thumbprint <Thumbprint> | Format-List *
Get-ExchangeCertificate -Thumbprint <Thumbprint> | Format-Table -Auto FriendlyName,*PrivateKey*
Microsoft Exchange | Microsoft Exchange Server Auth Certificate | WMSVC | |
---|---|---|---|
Signature algorithm | sha1RSA | sha1RSA | sha1RSA |
Signature hash algorithm | sha1 | sha1 | sha1 |
Key usage | Digital Signature, Key Encipherment (a0) | Digital Signature, Key Encipherment (a0) | Digital Signature, Key Encipherment (a0), Data Encipherment (b0 00 00 00) |
Basic constraints | • Subject Type=End Entity • Path Length Constraint=None . | • Subject Type=End Entity • Path Length Constraint=None | n/a |
Thumbprint algorithm | sha1 | sha1 | sha1 |
PKCS #12 (.pfx) Pickup | Browser-Based Installation | PKCS #10 (Provide CSR) |
---|---|---|
Google Chrome 1 - 48 | ||
Google Chrome 49+ | ||
Microsoft Internet Explorer | ||
Microsoft Edge | ||
Mozilla Firefox |