Let’s Encrypt and Microsoft Exchange

Free SSL Certificates for Microsoft Exchange

Let’s Encrypt is a free SSL/TLS certificate provider, with automated certificate issuance and renewal tools for Linux and Windows. You can use it to automatically issue and renew SSL certificates on your web servers. This guide shows you how to correctly setup Let’s Encrypt for Microsoft Exchange Server and IIS using freely available tools.

Let’s Encrypt is a great option for SSL/TLS Certificates, as the certificates can be renewed automatically (and it’s totally free!). This installation method is based on how I installed Let’s Encrypt for Microsoft Remote Desktop Services. In fact, this article is largely copied and pasted – so feel free to skip the instructions if you are already familiar, and just go download that handy Powershell script.

What you need

I’ve tested this process on Windows Server 2012 R2, with all Microsoft Exchange roles housed on the one server. You will need to modify these instructions and the script if you have split your role services amongst multiple servers.

Setup Instructions

  1. Download Let’s Encrypt Windows Simple and extract the files to C:\Program Files\Lets Encrypt
  2. Download my Powershell script and save it as C:\Program Files\Lets Encrypt\ExchangeLetsEncrypt.ps1
  3. Run LetsEncrypt.exe
    1. Enter your email address
    2. Accept the terms and conditions
    3. Enter “N” to create a new certificate
    4. Select Option 3 for “SAN Certificate for all bindings of multiple IIS sites” (Exchange >= 2013 has two IIS sites that need a certificate)
    5. Select the “HTTP-01” option: “Create temporary application in IIS”
    6. After the certificate has been created, don’t let it create the auto-renewal scheduled task (we’ll do this later)

If all goes well, you should now have a new SSL Certificate installed in your IIS site. You can confirm this by opening your Microsoft Exchange Web Access site in a browser and checking that the SSL Certificate has been issued by Let’s Encrypt.

There should also be a series of certificate files saved in C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\

However, at this stage not all Exchange roles have the certificate at this stage.

Our job now is to install the certificates into Exchange. You could do so manually in the ECP, but you’ll need to do this manually every 60 days as the certificate comes up for renewal.

Instead, we’re going to use Powershell.

If you run the Powershell script, you’ll need to provide just two parameters:

  1. -CertificateImport – The path to the PFX file generated by Let’s Encrypt (found in C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\)
  2. -RDCB – The FQDN of your server (the internal DNS name used by Active Directory, not any external alias you may have)

Running this script within 10 minutes of generating the original certificates should allow it to install successfully.

You can check this from that same Deployment Properties windows in Server Manager. You can also try to access a Remote Resource and see which certificate it presents.

# A script to install a Let's Encrypt certificate in Exchange server
# Hacked together by Anthony Eden (https://mediarealm.com.au/)

param (

    [Parameter(Mandatory=$TRUE, HelpMessage="store the certificate locally (c:\)")]

    [Parameter(Mandatory=$TRUE, HelpMessage="Exchange Server FQDN")]

if ( ((get-date) - (ls $CertificateImport).LastWriteTime).minutes -gt 10){ exit }

add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010

# Find the thumbprint of this certificate
$certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

Import-ExchangeCertificate -Server $ServerName -FileName $CertificateImport
Enable-ExchangeCertificate -Thumbprint $certPrint.Thumbprint -Services POP,IMAP,IIS,SMTP -Confirm

# Add the cert to the default site in IIS
$binding = Get-WebBinding -Name "Default Web Site" -Protocol "https"
$binding.AddSslCertificate($certPrint.GetCertHashString(), "my")

# Add the cert to the Exchange Backend site in IIS
$binding = Get-WebBinding -Name "Exchange Back End" -Protocol "https"
$binding.AddSslCertificate($certPrint.GetCertHashString(), "my")

Automating the Renewal of Exchange Certificates

All we need to do now is setup automatic renewal. Thankfully, this can be done with a simple batch script:

"C:\Program Files\Lets Encrypt\letsencrypt.exe" --renew --baseuri "https://acme-v01.api.letsencrypt.org/"
powershell -File "C:\Program Files\Lets Encrypt\ExchangeLetsEncrypt.ps1" -CertificateImport "C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\mail.example.com-all.pfx" -ServerName exchange.example.com

Edit this script to contain the full path to your PFX file, and then schedule it to run in Task Scheduler once per day. The renewal will only take place close to the 60-day expiry window, and when that happens the Powershell script will update the Exchange certificates.

Monitoring the Certificate Renewal

No one likes lapsed certificates or certificate warnings. Prevent this by subscribing to a free SSL Expiry Checker, such as CertificateMonitor.org (or the host-it-yourself version).


That’s it! Hopefully these instructions have allowed you to install a Let’s Encrypt Free SSL Certificate in Microsoft’s Exchange Server. If you have any tips, please post them in the comments below!

Get the Broadcast Technology Newsletter

Sign up for the email newsletter about media and technology. Sent irregularly. No spam.

I'm Anthony Eden, and I'm a IT Professional, Broadcast Technician, Software Developer, and Solutions Engineer. I've been working in broadcast media since 2008, and developing software and websites for just as long. Right now, I provide freelance services through Media Realm - in particular, to the media and not-for-profit industries.

Follow Anthony on Twitter: @anthony_eden