Get and install a FREE Exchange SAN certificate (Let's Encrypt) - aaqibwani/M365 GitHub Wiki

• Identify the domains for which you need the certificate example: mail.domain.com, autodiscover.domain.com, etc.
• Go to https://punchsalad.com/ssl-certificate-generator/
• Enter the domains and email address and select the authentication method as DNS:

• Click "Create Free SSL.."
• In the next page, you'll get the TXT records that you need to publish in your DNS to verify ownership.

• Copy the provided host and value. Login to you DNS provider and create the TXT records in your DNS like below:

• It can take some time for DNS propagation, so be patient and periodically click on 'Check DNS'. Once verification is successful, you'll get the CRT bundle and the private key like below:

• Download both the files
• Convert both the files to a PFX file: https://github.com/aaqibwani/M365/wiki/Create-a-PFX-certificate-from-a-CRT-and-private-key-using-Windows
• Save the file on your Exchange server and then run the below cmd in EMS:

Import-ExchangeCertificate -Server <server_name> -FileData ([System.IO.File]::ReadAllBytes('\\<server_name>\c$\<path>\mail.pfx')) -Password (ConvertTo-SecureString -String '<password>' -AsPlainText -Force)

• Now if you go to EAC, you can see the certificate added to the Server. However, the certificate has not yet been enabled. We'll need to enable it for IIS (EAC,OWA) and SMTP OR IMAP and POP if required.

• Enable the certificate for IIS and SMTP services using the below cmd:

Enable-ExchangeCertificate -Thumbprint 8470DC4875E15EC0838013BCA14172FCEF9B0501 -Services SMTP,IIS

• You have successfully installed and enabled the certificate on the Exchange Server. You can now export and import the same certificate on other Exchange Servers as well.