A very basic setup of Office 365 usually doesn’t require certificates since all of the servers and externally facing components are on Microsoft’s end. However, there are two major cases where a certificate for Office 365 is going to be required: ADFS and Office 365 Hybrid Exchange Configuration. Since ADFS is a useful and commonly used technology I will focus on that scenario for now.
If you are wondering what ADFS 2.0 is, it stands for Active Directory Federation Services. For more information on it, see our prior articles:
So for ADFS 2.0 with Office 365, you need a certificate that will sit on your externally facing web server and authenticate with Office 365 and any incoming devices (Outlook Clients, Phones, Tablets, web browsers for Outlook Web Access, etc…). When buying a certificate, we generally recommend getting them from Godaddy.com (Click on All Products > . Despite the fact that I have never really cared for their commercials, their pricing is good, their site is easy to use, and their certificates seem to work reliably with just about everything out there (since they are a larger provider) so they are fully compatible with Microsoft stuff like Office 365. We’ve been using them for a few years now with no issues.
Choosing a Type of Certificate for Office 365
There are two main choices when purchasing a certificate for Office 365 – standard or wildcard. Standard certificates cover one specific host name in a domain, whereas wildcard certificates can cover all hostnames in a single domain.
For example, if you wanted a certificate for adfs.testdomain.com, a standard certificate would read adfs.testdomain.com where as a wildcard certificate would read *.testdomain.com. In a second example, if you wanted to then use a certificate for mail.testdomain.com, a standard certificate would read mail.testdomain.com and a wildcard certificate would still be the same *.testdomain.com.
So clearly using a wildcard certificate is much more convenient than a normal certificate, with the only downside being that they cost a bit more. As it stands right now on Godaddy.com, a normal SSL certificate runs about $70 a year (less per year if you buy it for 2+ years) and a wildcard certificate costs $200 a year (also less per year if you buys it for 2+ years). In my personal opinion, wildcard certificates are the way to go. If you only need one or two certificates and you are positive you will never need to change their hostname or add any others in the lifetime of the certificate then you could save a few tens of dollars a year by going with standard certificates. But that being said, I still much prefer the wildcard certificate for its flexibility and the guaranteed set cost no matter how many certificates you need in the future (on that domain). It also gives you the flexibility to experiment and use it in test runs without having to buy a new certificate or use your original hostname.
Generating a Certificate for Office 365
Generating a certificate for Office 365 can be a little tricky the first time you do it, but it’s a pretty straightforward procedure that shouldn’t give you too many problems as long as you follow the directions.
1) Start by going online to buy your certificate. You can find certificates under All Products –> SSL and Security –> SSL Certificates. On the right side of the page, select the type of certificate you want. As I mentioned before, I recommend a wildcard certificate for Office 365 (listed as “Single Domains with Unlimited Sub Domains (Wildcard)”), but the choice is up to you.
2) Add the certificate to your cart and buy it, then navigate to Godaddy’s certificates page. At this point it will need you to generate a certificate request from your server. I will provide instructions on that, but here is the basic idea of how it works: You go to your web server and feed it all the information about the certificate you would like to generate. It then spits out a CSR, which is a text file full of all the information it needs. You take the CSR to Godady and paste it in. Godaddy then generates that exact certificate for you to download. Once it is downloaded, you go back to your server and “complete the certificate request” by giving it the certificate from Godaddy. At this point your server should have the correct key for it and it will be usable. If you want to use it elsewhere, you’ll have to export it from that server.
3) To generate the CSR file, log into your ADFS server and open up the IIS manager (these pictures and instructions will pertain to Server 2008 R2, but should work for 2008 as well). In the left panel, click the name of your server then in the middle panel double click “Server Certificates”. On the right side of the page, click “Create Certificate Request”. From here, fill in the requested information for the certificate. On the second page, make sure your “bit length” is a minimum of 2048 (as seen in the picture below).
Note:For more specifics on all the information you need to fill in, here is Godaddy’s support article on it. For an article on how to generate a certificate for Office 365 using something besides IIS7, here is Godaddy’s support article on that. I should also point out that the certificate request example pictures below are generating a wildcard certificate for Office 365, so the common name use in the cert is *.testdomain.com.
4) Once you have generated the CSR file, it should appear in a text editor like the picture below. Copy and paste this entire thing into the part of Godaddy’s website that requests it and after a few minutes the certificate should be created and available for download.
5) Download the certificate from Godaddy and in the IIS Manager right below the “create certificate request” button, click the “complete certificate request” button. As in the picture below, feed in the certificate from Godaddy and give it a friendly name (just whatever you would like it to appear as when you are dealing with it in the certificate manager). Once you complete this it should appear under “Server Certificates”.
6) You are now free to use it where you please! If you need to use it on more than one server, you can use the certificate manager mmc to export it (with its key) and import it on a new server. Enjoy!
We are here to help!
Office365forbiz.com can be your guide when moving your existing mail system to a new Office 365 platform We provide migration plans, strategic advice, hand holding and support through your migration wherever you are. Before you start a project, before you even select a plancontact us and we will help you through often at no additional cost. For more information firstname.lastname@example.org or call 949-287-4500.