Get a Certificate for Exchange UM Online

Applies to: Office 365 for enterprises

Topic Last Modified: 2011-11-23

Exchange Online UM requires the use of digital certificates to encrypt all traffic between your on-premises organization and the Microsoft datacenter. You must obtain a digital certificate for the network border element, such as a session border controller, that you are using to communicate with Exchange Online UM. Digital certificates establish trust between your on-premises organization and the Microsoft datacenter and enable mutual transport layer security (mutual TLS or MTLS). After this trust is established, the network border elements at your on-premises organization and at the Microsoft datacenter exchange session keys, and then use these keys to encrypt the subsequent data traffic.

The following information helps you obtain a certificate and then use it to establish trust with Exchange Online UM.

Make sure you have done the following:

  • Signed up for and set up your Microsoft Office 365 for enterprises organization.
  • Installed a session border controller (SBC) on your network border, if you are connecting to a PBX or IP PBX.
  • Set up and connect your PBX or IP PBX with your SBC.

The certificate for your SBC must meet the following requirements:

  • The certificate must be signed by a recognized certification authority (CA). Self-signed certificates, which you generate yourself, aren’t supported.
  • The subject common name in the CN in the certificate must match the Address field of the UM IP gateway that you create in Exchange Online. In Exchange Online UM, the UM IP gateway represents your SBC. For example, if you specify an address of sbcexternal.contoso.com for your UM IP gateway, make sure that the subject name and subject alternative name in the certificate contain the same string, for example, sbcexternal.contoso.com. This string is case-sensitive, so make sure the case is the same.
  • The length of the keys contained in the certificate must be at least 1024 bits. We recommend the use of keys that are 2048 bits long.

For more information, see Understanding TLS Certificates.

Because of these requirements, you will most likely have to purchase a new certificate to connect to Exchange Online UM. Currently, certificates from the following CAs are supported for Microsoft Office 365 for enterprises:

  1. Assign a unique fully qualified domain name (FQDN) for the public interface of your SBC, for example, sbcexternal.contoso.com. You may have to ask a network administrator to do this. Check that this FQDN can be resolved by external DNS clients to the correct IP address.
  2. Use your SBC software to generate a certificate signing request (CSR). In the subject name of the request, enter the SBC’s FQDN, which you just assigned. The subject name is case-sensitive. The CSR is a text file, which contains a section that looks like this:
    -----BEGIN CERTIFICATE REQUEST-----
    << request-specific content here >>
    -----END CERTIFICATE REQUEST-----
    
    Note   Be sure to use your SBC’s software to begin and end the process of certificate generation and loading. This way, if something goes wrong, you aren’t using an unfinished SBC certificate to administer the SBC. To verify that you are administering the SBC independent of the certificate, make sure that you can administer the SBC with HTTP instead of HTTPS.
  3. Go to your chosen CA and follow their instructions to upload the CSR you created to their certificate generation process. Your certificate will also be provided as a text output, similar to the following:
    -----BEGIN CERTIFICATE-----
    << certificate-specific content here >>
    -----END CERTIFICATE-----
    
  4. Use your SBC software to load the resulting certificate in to the SBC.
  5. When the certificate has been loaded, reset any temporary changes made to the protocol security on your SBC.

For more information, see Checklist: Connect a Traditional PBX to Exchange Online UM or Checklist: Connect an IP PBX to Exchange Online UM.

Show: