bg-tutorials

How to Generate a CSR in Microsoft Exchange

This guide shows you how to generate a CSR (Certificate Signing Request) in Microsoft Exchange Server. It covers the current releases (Exchange Server Subscription Edition and Exchange 2019 CU15+) using both PowerShell and the Exchange Admin Center, the PowerShell-only path required on Exchange 2016 (CU23+) and Exchange 2019 CU12 to CU14, and archival steps for legacy Exchange 2013, 2010, 2007, and 2003.

This tutorial applies to Microsoft Exchange Server (on-premises) only. If you use Exchange Online as part of Microsoft 365, you do not generate a CSR: TLS for your *.mail.protection.outlook.com and *.outlook.com endpoints is managed by Microsoft and cannot be replaced with a third-party certificate.

Which method should I use?

Exchange handles certificate management differently in different versions. Microsoft removed the certificate options from the Exchange Admin Center (EAC) in Exchange 2016 CU23 (September 2021) and Exchange 2019 CU12 (April 2022), then restored them in Exchange 2019 CU15 (February 2025) and in Exchange Server Subscription Edition (released July 1, 2025). Check your version and CU before you start.

To find your build, run this in the Exchange Management Shell:

Get-ExchangeServer | Format-List Name,AdminDisplayVersion
Exchange versionCSR methodNotes
Exchange Server SE (2025+)EAC or PowerShellCurrent product. Code-equivalent to 2019 CU15.
Exchange 2019 CU15EAC or PowerShellFinal CU for 2019. EAC certificate wizard restored.
Exchange 2019 CU12 to CU14PowerShell onlyEAC certificate options removed by KB5014278.
Exchange 2016 CU23+PowerShell onlyEAC certificate options removed; out of mainstream support since October 14, 2025.
Exchange 2013EAC or PowerShellOut of support (April 11, 2023). Migrate when possible.
Exchange 2010, 2007, 2003Legacy GUI / shellLong out of support. Archival reference only.

Pick the section below that matches your version:

Generate a CSR on Exchange Server SE, Exchange 2019, and Exchange 2016

The PowerShell method below works on every supported version from Exchange 2013 through Exchange Server SE, and it is the only supported method on Exchange 2016 (CU23+) and Exchange 2019 CU12 to CU14. On Exchange Server SE and Exchange 2019 CU15+, you can also use the EAC wizard, covered after the PowerShell flow.

Method 1: PowerShell (Exchange Management Shell)

Open Exchange Management Shell as an administrator on the Exchange server that will hold the private key. Run the New-ExchangeCertificate cmdlet with -GenerateRequest, then save the returned CSR text to a file with Set-Content. This two-step pattern is required because Microsoft removed the -RequestFile parameter from the cmdlet in Exchange 2016 CU23 and Exchange 2019 CU12 (security update KB5014278). Older guides that pass -RequestFile or -Path directly will fail on current builds.

New-ExchangeCertificate `
  -GenerateRequest `
  -SubjectName "C=US, S=California, L=San Francisco, O=Example Inc, OU=IT, CN=mail.example.com" `
  -DomainName mail.example.com, autodiscover.example.com `
  -KeySize 2048 `
  -PrivateKeyExportable $true `
  | Set-Content -Path "C:\certs\exchange.req"

Edit the values to match your environment:

  • C is the two-letter country code (US, GB, DE, and so on).
  • S is the full state or province name (do not abbreviate).
  • L is the full city or locality name.
  • O is the legally registered company name.
  • OU is the department, often “IT”. This field is optional.
  • CN is the primary fully qualified host name the certificate will secure, for example mail.example.com.
  • -DomainName is a comma-separated list of every host name the certificate must cover (Subject Alternative Names). For a typical Exchange deployment, list at least mail.example.com and autodiscover.example.com. Add any other names clients use: webmail, owa, the EWS host, hybrid hostnames, and so on.
  • -KeySize 2048 matches CA/Browser Forum baseline requirements. Use 3072 or 4096 only if your policy requires it.
  • -PrivateKeyExportable $true lets you export the key later for backup or for use on additional Exchange nodes in the same DAG.

Wildcard certificate. For a wildcard, set the CN and one of the DomainName entries to the wildcard pattern, for example CN=*.example.com and -DomainName *.example.com,example.com. Note that some Exchange features (notably Outlook Anywhere on older builds) historically had limitations with wildcards; for production we recommend a multi-domain (SAN) certificate that lists each host name explicitly.

After the cmdlet runs, open the saved file in Notepad and verify it looks like a normal PEM CSR:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC6TCCAdECAQAwgaMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
...
-----END NEW CERTIFICATE REQUEST-----

Copy the entire block, including the BEGIN and END lines (five hyphens on each side), and paste it into the CSR field of your SSL order. If you want to decode and inspect the CSR before submitting, run it through our CSR Decoder to confirm the common name, SANs, and key size are correct.

The pending request stays on this Exchange server until you complete it with the issued certificate. List pending requests with:

Get-ExchangeCertificate | Where-Object {$_.Status -eq "PendingRequest"} | Format-List FriendlyName,Thumbprint,Subject

Method 2: Exchange Admin Center (Exchange Server SE and 2019 CU15+ only)

The EAC certificate wizard is available again on Exchange Server SE and on Exchange 2019 CU15. If you are on Exchange 2016 (any CU from CU23), Exchange 2019 CU12, CU13, or CU14, the wizard is not present: use the PowerShell method above instead.

  • Sign in to the EAC at https://<exchange-server>/ecp with an account that has the Organization Management role.
  • Go to Servers > Certificates.
  • In the Select server dropdown, pick the Exchange server that will own the private key.
  • Click the + button to start the New Exchange Certificate wizard.
  • Choose Create a request for a certificate from a certification authority, then click Next.
  • Enter a Friendly name that identifies the certificate later, for example mail.example.com 2026. This is a label only.
  • For a wildcard, tick Request a wildcard certificate and enter the root domain (for example example.com). For a standard or multi-domain (SAN) certificate, leave the box unchecked and click Next.
  • Click Browse and select the Exchange server that should store the certificate request, then click Next.
  • If you are not requesting a wildcard, select the services (OWA, ECP, Outlook Anywhere, OAB, Autodiscover, POP, IMAP) the certificate will protect, then click Next. Exchange uses this to suggest the SAN list.
  • Review the list of host names, add or remove names with + and the minus button, and confirm the primary common name. Click Next.
  • Fill in your organization details: the legal organization name, department, country/region, city, and state or province. Use full spellings (not abbreviations).
  • Under Save the certificate request to the following file, enter a path you can reach later, for example \\exch01\c$\certs\exchange.req, then click Finish.
  • Open the saved .req file in Notepad, copy the full text including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– markers, and paste it into your CA’s order form.

Once the CA issues the certificate, return to Servers > Certificates, select the pending request, and click Complete. Follow the steps in our Exchange SSL installation guide to finish the install and assign services.

Generate a CSR on Exchange 2013 (legacy)

Legacy notice: Exchange 2013 reached end of support on April 11, 2023, and no longer receives security updates. Plan a migration to Exchange Server SE. The steps below are for archival reference.

  • Open the EAC at https://<server>/ecp and sign in.
  • Go to Servers > Certificates and pick the target server in the dropdown.
  • Click the + icon to launch the New Exchange Certificate wizard.
  • Choose Create a request for a certificate from a certification authority, click Next.
  • Enter a Friendly name, then click Next.
  • For a wildcard, tick the wildcard box and enter the root domain (for example *.example.com); otherwise leave it unchecked. Click Next.
  • Click Browse and select the server where the private key should be stored, then click Next.
  • Select the Exchange services the certificate will secure (OWA, ECP, Outlook Anywhere, Autodiscover, SMTP, POP, IMAP), then click Next.
  • Review the SAN list, add any missing host names with +, remove any unneeded entries, and click Next.
  • Fill in the organization details (legal name, department, country, city, state), then click Next.
  • Enter the UNC path where the .req file should be saved (for example \\exch01\c$\certs\exchange.req), then click Finish.
  • Open the file in Notepad and copy the full block (including the BEGIN and END lines) into your CA’s CSR field.

When the issued certificate arrives, complete the pending request from the same Certificates screen and continue with the install.

Generate a CSR on Exchange 2010 (legacy)

Legacy notice: Exchange 2010 went out of extended support on October 13, 2020. It does not receive security updates and should not run public-facing services. Steps are kept here for teams maintaining isolated internal systems only.

  • Launch the Exchange Management Console from Start > All Programs > Microsoft Exchange Server 2010.
  • In the left tree, expand Microsoft Exchange On-Premises and click Server Configuration.
  • In the Actions pane on the right, click New Exchange Certificate.
  • On the Introduction screen, enter a Friendly name and click Next.
  • In Domain Scope, leave the wildcard box unchecked for a standard certificate or tick it and enter the root domain (for example *.example.com) for a wildcard, then click Next.
  • Under Exchange Configuration, select the services that should be secured (OWA, Outlook Anywhere, Autodiscover, POP, IMAP, SMTP, Unified Messaging) and click Next.
  • On Certificate Domains, add the common name (the primary FQDN), click Set as common name, then click Next.
  • Fill in the Organization and Location details: full legal organization name, department, country, city, and state, then click Browse and choose a save location plus a file name for the .req file. Click Save, then Next, New, and Finish.
  • Open the saved file with Notepad and copy the entire content, including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– lines, into your CA’s order form.

After the CA issues the certificate, complete the pending request back in the Exchange Management Console.

Generate a CSR on Exchange 2007 (legacy)

Legacy notice: Exchange 2007 went out of extended support on April 11, 2017. Steps are provided for archival reference only.

  • Open Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
  • Adapt the cmdlet below in Notepad, then paste it into the shell. Replace the example subject values with your real organization details and the host names you need to secure.
New-ExchangeCertificate `
  -GenerateRequest `
  -SubjectName "C=US, S=California, L=San Francisco, O=Example Inc, OU=IT, CN=mail.example.com" `
  -DomainName mail.example.com, autodiscover.example.com `
  -KeySize 2048 `
  -PrivateKeyExportable $true `
  -Path C:\certs\exchange.req

On Exchange 2007 the original -Path parameter still works (the UNC-path restriction in KB5014278 was applied to Exchange 2016 and 2019 only). Edit the subject fields the same way as in the modern PowerShell section above:

  • C, S, L, O, OU, and CN follow the standard X.509 subject convention.
  • -DomainName takes a comma-separated SAN list. For a wildcard, use *.example.com.
  • -KeySize 2048 is the minimum accepted by public CAs.
  • -PrivateKeyExportable $true lets you export the certificate and key later.
  • -Path is the local file where the CSR will be written.

After the cmdlet completes, open the file in Notepad and copy the full PEM block (including the BEGIN and END lines, with five hyphens on each side) into your CA’s CSR field.

Generate a CSR on Exchange 2003 (legacy)

Legacy notice: Exchange 2003 went out of extended support on April 8, 2014. It is not safe for any public infrastructure and modern public CAs may refuse to issue SHA-256 certificates that 2003-era clients can validate. Migrate as soon as you can.

Exchange 2003 did not include its own certificate request tooling. CSR generation was handled by the underlying IIS 6 web server, then the issued certificate was bound to the Exchange virtual protocol servers (SMTP, POP3, IMAP4) through Exchange System Manager. Follow our companion guide on how to generate a CSR in Microsoft IIS (IIS 6 section) to produce the request, then return to your CA to order the certificate.

Verify your CSR before submitting

Before you paste the CSR into the order form, decode it to confirm the details are correct. A typo in the common name, a missing SAN, or a short key length will reject the order or force a free reissue later. Paste your CSR into our CSR Decoder to see the common name, full SAN list, organization, country, signature algorithm, and key size.

Once the CA validates the request and issues the certificate, continue with our step-by-step Exchange SSL installation guide to import the certificate and assign it to IIS, SMTP, and any other services you run.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.