Change Internal Names in Exchange Server for new SSL Certificate Rules

Today i would like to explain how can change local names of your Exchange Server Services like Autodiscovery to deal with a Full Quaolified Domain Name for an SSL Certificate . If you don't know all Certificate Authorities from 1 November 2015 will not accept local names in SSL Certificates.

Read the Updates from Certificate Authorities like or When you install Exchange Server in your evniroment by default the URL that is stored in the Services that use SSL like autodiscovery , OAB and OWA use the internal NetBios Name of the Server.

For example if your local domain name is test.local and your name of the Exchange Server is EXCH01 then the URI for the autodiscovery will be https://EXCH01.test.local/autodiscover/autodiscover.xml.  

If you don't have change the URL's then already face an issue with your Outlook Clients. All your Outlook clients will get a Warning "The name of the security certificate is invalid or does not match the name of the site" 

This happened because the Url that tries Outlook to connect can't find in the new SSL Certificate because not support local names any more. 

Below i will explain how can deal with FQDN in SSL Certificates for Exchange Server.

  1. SSL Requirement in Exchange Server 2010 
  2. How to install SSL Certificate.
  3. Where to Buy an SSL Certificate.
  4. Configure the SSL Certificate after Buy it.
  5. Change Local Name in Exchange Server to FQDN for the SSL Certificate.
  6. Verify changes for Internal Url


SSL Requirements in Exchange Server 2010

Microsoft Exchange Server 2010 use many services that required SSL Certificate. So Exchange Server that hosted Client Access Role need SSL Certificate for the services:

  • Autodiscover
  • Exchange Web Services
  • Outlook Web App
  • Outlook Anywhere

Can't buy a simple SSL Certificate with one domain but must choose Subject Alternative Name (SAN) SSL Certificate . The specific certificate can cover more that one domain names. Ususally start from 5 domains.

How to install SSL Certificate.

  • Open Exchange Management Console
  • Click in Server Configuration and from the right side you will see the Exchange Certificates
  • Right click in the space and select New Exchange Certificate.

  • Type a friendly Name and click Next

  • Don't check Enable wildcard certificate and click Next.

  • Open every option, check the service that will use with the certificate and type the FQDN and not the local name of your Exchange Server.

  • In the Next step check very carefully the domain names and remove any local domain name.Click Next.

  • Fill all the fields. Click Browse and save the .req file that will be generate. This is the CSR that will be requested from your Certificate Authority.

  • Check your Configuration and click New.

Where to Buy an SSL Certificate

There are lots of Certificate Autorities out there to choose. One of them that you can use is the SSL2BUY. In any case be sure that the company that will buy the  SSL Certificates must support multiple domains. 


Configure the SSL Certificate after Buy it.

After buy the SSL Certificate will be request to upload the CSR file (It is the file .req file which save when created the new Certificate in the Exchange Server). After upload the CSR the Certificate Authority you must wait to verify your domain and other things. Maybe takes a day to completed.

When the certificate generate for you you must follow the steps.

  • Open Exchange Management Console
  • Click in Server Configuration and from the right side you will see the Certificate that you have create
  • Right click and select Complete Pending Request.

  • Browse and find the files from your certificate that Download from Certificate Authority and click Complete.
  • After finish successfull click Finish.
  • Right click in your Certificate and select Assign Services to the Certificate.

  • Select your Exchange Server and click Next
  • Select Services that you must have and click Asssign. For my Certificate i have assign IIS,SMTP,IMAP. It depends from your enviroment.

Now you have create your SSL Certificate for your Services but you must do one step more to avoid Warnings in Outlook Clients.

Change Local Name in Exchange Server to FQDN for the SSL Certificate.

Now it's time to configure the Exchange Server and change the Local Name which use for the Services. But  What we must change?

The Service Connection Point object for the Autodiscover service 
The InternalUrl attribute of Exchange Web Service (EWS)
The InternalUrl attribute of the Offline Address Book Web service
The InternalUrl attribute of the Exchange unified messaging (UM) Web service 


IMPORTAN - Add a Host Record in your DNS Server to map the FQDN of your Exchange Server

First of all before start to change the attributes you must be sure that you have add a host record in yur DNS Server to map the FQDN of your CAS Server.

  • Open your DNS Server
  • Expand Forward Lookup Zones
  • Click in your appropriate Zone and create a new Host Record. See the example  with IP Address (which is internal Ip Address of Exchange Server).

If you don't create the Host Record then you will face issues when do the following changes.

  • Start the Exchange Management Shell and note that from the commands  MUST

Change CAS_Server_Name with the Netbios Name of your Exchange Server.
Change with your FQDN. The domain name that you have add in SSL Certificate. 

  • Change the Service Connection Point for the Autiduscobery Service

Type the command 
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUrl  


  • Change the InternalUrl attribute of Exchange Web Service (EWS)

Type the command
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl

  • Change  the InternalUrl attribute of the Offline Address Book Web service

Type the command
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl

  • Change  InternalUrl attribute of the Exchange unified messaging (UM) Web service 

Type the command
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl

If you want to verify that you have change the Internal Url attributes you can run the following command

Verify changes for Internal Url

If you want to chack that commands which run to change InternalUrl has already change do the following

  • Open Outlook
  • Keep Ctrl Button and Right click in Outlook icon from Taskbar.
  • Select Tes Email AutoConfiguration

  • Uncheck Use Guesmaster and Secure GuessMaster Authentication.
  • Type your password and click Test
  • Check the Availability Service,OOA URL and OOF URL , Unified message Service Url.

This is the way to resolve the problem that arise after the new Rules for SSL Certificates.

Do you already have the problem with SSL Certificates and Warnings in Outlook Clients? Do you have resolve it or not? Share your answer or your questions in the comments below.

Have a nice weekend!!!

Bye !!!