Certificate for Exchange Server only?

Question
1

Hi. I’m pretty new to this whole PKI/certificate world (but I’ve read a lot already).

I have a Win Server 2019 running Exchange Server 2019, and all I want is to get a Let’s Encrypt certificate bound to the Exchange Server - we are not using the web server to host anything public other than Outlook on the Web. Everything I’ve read so far indicates that I have to get a certificate for my IIS and then bind that to the Exchange Server. I have the server configured as a CCS (Centralized Certificate Server) in case that matters.
My questions so far:

  1. Can I implement a certificate directly and only for my Exchange server (without doing IIS first)?
  2. What site name should I use, i.e., I’m going to have to create a public domain name accessible via http port 80, right? Again, I don’t need or want to make an IIS site publicly accessible (other than Outlook/web)
  3. I haven’t installed CertifyTheWeb yet - will I be able to accomplish the automated binding to the Exchange server, and the re-binding required after every certificate renewal, using the program? (or will I, for example, have to create a Power Shell script for that)

Thanks very much

2

Hi,

The best way to try this out is to setup a test server so you can experiment with the configuration. You need port 80 open and you can use the http validation feature of Certify The Web to validate your certificate - the app has a built in http challenge server so by default you don’t need IIS (but you do need port 80 open).

For http validation your public site name pointing to your server must be the same as the name you want in your certificate (e.g. webmail.domain.com).

You can optionally use DNS validation instead of http validation but this sometime requires a change of DNS host in order to get one with a supported API for the necessary automatic changes (creation/update of TXT record as part of domain challenge validation). DNS validation has the beenfit that your server does not need to present a public server on port 80, but your DNS itself must have a version that can be publicly queried (Let’s Encrypt query this directly).

Once the app has acquired the certificate for you, you can use a script to apply the certificate and restart any required services. In the case of exchange we provide an example script you can adapt as required, for example: https://github.com/webprofusion/certify/blob/development/src/Certify.Shared/Scripts/Common/MSExchangeEnableServices.ps1

3

Thanks, much appreciated.