trusted CA certificate RRS feed

  • Question

  • Hi,

    I successfuly migrated my domain from SBS 2008 to 2019 inkl. Exchange, everything works fine, but I cannot figure out certificate issues on mobile devices.

    On workstations/server, it is enough to import self-signed certificate to Trusted Root CA tree. But for example on iOS devices it does not work - it requires first to install CA certificate and then Exchange itself certificate.

    Can anyone advise me, how to create self signed certificate with CA or how to get CA certificate for self signed cert. from Exchange 2019?

    Any advice will be appreciated.



    Monday, September 9, 2019 1:24 PM


All replies

  • Hi

    With the security in today's world, best would be to spend the $$ and buy a proper SSL certificate and you won't end up with these errors.

    You need to have your CA trusted and you going to have to have the certificate plus its authority added to every device, just becomes to messy.

    Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, September 9, 2019 5:15 PM
  • Use Lets Encrypt. It is free!

    Mariëtte Knap [alumna Microsoft SBS MVP] | Linkedin | Migrations done the easy way | DNN MVP 2019

    Monday, September 9, 2019 6:22 PM
  • Hi Edward,

    I understand, but for my purposes in this case I don't need spend money for that certificate. That is because am I finding free solution.


    Tuesday, September 10, 2019 5:57 AM
  • Hi Mariëtte,

    the procedure will be then shortly - generate a new on, import to Exchange (EAC), import to IIS (Default Web Site), import to clients/devices. That is enough?

    I need to generate the certificate for more than one domain (, server.domain.local, autodiscover.domain.local, ...), it is possible with Let's Encrypt?



    • Edited by Robajz Tuesday, September 10, 2019 6:02 AM
    Tuesday, September 10, 2019 5:58 AM
  • Have a look here That is a Windows client for Lets Encrypt that does the job really good. I have also written a small guide but it was not aimed at Exchange Server but I hope it gives you an idea what you can do with it. See Get a free Let’s Encrypt SSL certificate for Access Anywhere and automatically renew it. That tutorial will be updated soon so that it includes Exchange Server also.

    Mariëtte Knap [alumna Microsoft SBS MVP] | Linkedin | Migrations done the easy way | DNN MVP 2019

    • Edited by Mariette Knap Tuesday, September 10, 2019 6:03 AM
    • Marked as answer by Robajz Wednesday, September 11, 2019 8:40 AM
    Tuesday, September 10, 2019 6:02 AM
  • Hi Robajz,

    Apple device is an exception. I have heard that it is no longer supported to import the self-signed cert to Apple Device since iOS 10.

    So purchasing a 3rd CA certificate is necessary, and for you needs, SAN cert is appropriate. 

    Please note that it is not a good place to discuss the cert product, let's use Bing and it is easy for us to find what we need.


    Manu Meng

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact

    Tuesday, September 10, 2019 6:35 AM
  • I will look on the article, thanks. As I see the Let's Encrypt Authority is valid only for max. 90 days, but I will try it.


    Wednesday, September 11, 2019 7:54 AM
  • Hi Manu,

    the information about not supporting self-signed cert since iOS 10 is correct.

    I am trying to uderstand, what solution is valid and affordable for MS Exchange 2019/Outlook Anywhere. So the main question was about Exchange, sorry about that, but I paid enough money for this product and not everything is described in knowledge bases.

    I can't afford to pay microsoft support.


    Wednesday, September 11, 2019 7:59 AM
  • Question about generating - I am not able to generate certificate, which includes primary domain "" and alternative names ", autodiscover.domain.local, mailserver.domain.local". The error message is - "name does not end in a public suffix".

    Should I use/generate two different certificates for this purposes? Is it necessary?

    Thank You.


    Wednesday, September 11, 2019 8:44 AM