Plan for third-party SSL certificates for Microsoft 365

This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

To encrypt communications between your clients and the Microsoft 365 environment, third-party Secure Socket Layer (SSL) certificates must be installed on your infrastructure servers.

This article is part of Network planning and performance tuning for Microsoft 365.

Certificates are required for the following Microsoft 365 components:

  • Exchange on-premises

  • Single sign-on (SSO) (for both the Active Directory Federation Services (AD FS) federation servers and AD FS federation server proxies)

  • Exchange Online services, such as Autodiscover, Outlook Anywhere, and Exchange Web Services

  • Exchange hybrid server

Certificates for Exchange On-Premises

For an overview about how to use digital certificates to make the communication between the on-premises Exchange organization and Exchange Online secure, see the TechNet article Understanding Certificate Requirements.

Certificates for Single Sign-On

To provide your users with a simplified single sign-on experience that includes robust security, the certificates shown in the following table are required on either the federation servers or the federation server proxies. The table below focuses on Active Directory Federation Services (AD FS), we also have more information on using third-party identity providers.

Certificate Type Description What you need to know before you deploy
SSL certificate (also called a server authentication certificate)
This is a standard SSL certificate that is used to make communications between federation servers, clients, and federation server proxy computers secure.
AD FS requires an SSL certificate. By default, AD FS uses the SSL certificate that is configured for the default website in Internet Information Services (IIS).
The subject name of this SSL certificate is used to determine the Federation Service (FS) name for each instance of AD FS that you deploy. Consider choosing a subject name for any new certification authority (CA)-issued certificates that best represents the name of your company or organization to Microsoft 365. This name must be Internet-routable.
Caution: AD FS requires that this SSL certificate have no dotless (short-name) subject name.
Recommendation: Because this certificate must be trusted by clients of AD FS, we recommend that you use an SSL certificate issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign or Thawte.
Token-signing certificate
This is a standard X.509 certificate that's used for securely signing all tokens that the federation server issues and that Microsoft 365 accepts and validates.
The token-signing certificate must contain a private key that chains to a trusted root in the FS. By default, AD FS creates a self-signed certificate. However, depending on the needs of your organization, you can change this certificate to a CA-issued certificate by using the AD FS management snap-in.
Caution: The token-signing certificate is critical to the stability of the FS. If the certificate is changed, Microsoft 365 must be notified of the change. If notification is not provided, users can't sign in to their Microsoft 365 service offerings.
Recommendation: We recommend that you use the self-signed token-signing certificate that is generated by AD FS. By doing so, it manages this certificate for you by default. For example, when this certificate is about to expire, AD FS will generate a new self-signed certificate.

Federation server proxies require the certificate that is described in the following table.

Certificate Type Description What you need to know before you deploy
SSL certificate
This is a standard SSL certificate that is used for securing communications between a federation server, a federation server proxy, and Internet client computers.
This SSL certificate must be bound to the default website in IIS before you can successfully run the AD FS Federation Server Proxy Configuration wizard.
This certificate must have the same subject name as the SSL certificate that was configured on the federation server in the corporate network.
Recommendation: We recommend that you use the same server authentication certificate that is configured on the federation server that this federation server proxy connects to.

Certificates for Autodiscover, Outlook Anywhere, and Active Directory Synchronization

Your external-facing Exchange 2013, Exchange 2010, Exchange 2007, and Exchange 2003 Client Access servers (CASs) require a third-party SSL certificate for secure connections for Autodiscover, Outlook Anywhere, and Active Directory synchronization services. You may already have this certificate installed in your on-premises environment.

Certificate for an Exchange Hybrid Server

Your external-facing Exchange hybrid server or servers require a third-party SSL certificate for secure connectivity with the Exchange Online service. You need to get this certificate from your third-party SSL provider.

Microsoft 365 Certificate Chains

This article describes the certificates you may need to install on your infrastructure. For more information on the certificates installed on our Microsoft 365 servers, see Microsoft 365 Certificate Chains.

See also

Microsoft 365 Enterprise overview