This is the fasted and cheapest way to do this.
- Go get the Digicert Certificate Utility from https://www.digicert.com/util/
- Download it on the server you want to install the certificate
- Run the utility and select the existing expiring certificate (You may cleanup older eand expired ones too)
- Click on “Create CSR” and agree to import attributes from the previous certificate
- For the common name input : “*.domain.com” (where domain.com is the domain in question)
- For the Subject Alternative Names , leave it blank
- Complete the rest accuretely and select at least 2048 for the key size.
- Hit Generate. Copy the CSR and use it for step 13
- Go to Namecheap.com (create an account if you do not have one already)
- Purchase a wildcard Comodo SSL Certificate ($107.15 at the time of this article)
- Go back to Namecheap and view your available certificates
- Click on Activate Now
- Paste the CSR from step 8 and Submit the Request. You will be asked to provide a valid email. Make sure you have access to it!
- A few seconds later, go to the email and approve the certificate request.
- A few minutes later you will find the certificate on your namecheap registered email inbox
- Copy the certificate on the server, in the same directory as the digicert utility.
- Restart the digicert utility
- You will now see the new certificate ready to be applied! Select it and hit install
- Give it a friendly name like “wildcard2014”
- Your certificate is now installed. Now you will need to make it default for the required services
- Open IIS and expand until you get to the default website. Right click and select “Edit Bindings”
- Select all entries that are “https” on port “443” (there might be just one) – Set the binding to the new certificate (You will see it by its friendly name)
- Restart IIS (Top Left of the console) – Be patient, might take 2-3 minutes – this will downtime for users
- Test the OWA at : https://webmail.youdomain.com/owa/ and check the certificate with chrome. It should be by comodo and should be valid and green
- In most of the cases you are now done! There are some other cases though that you will need some extra configuration
- Open the exchange console
- Go to Microsoft Exchange-Microsoft Exchange On-Premises-Server Configuration-Client Access
- Go through the Outlook Web App,Exchange Control Panel,Microsoft Server Active Sync and make sure that the internal and the external addresses are pointing to the outside , certified website and not for example domain.loca/owa etc
- If you run into other problems with people getting error messages in their outlook clients, you might want to check with powershell the virtual hosts.
- Start the Exchange Management Shell and run the following : Get-ClientAccessServer Get-WebServicesVirtualDirectory Get-OABVirtualDirectory You might need to check those for problems too.
If you run into problems, just start the discussion here, I have done this many times, and this will definitely work!