Exchange Hybrid Deployment Certificate

Does anyone use a Letsencrypt for an Exchange server that is setup as a hybrid deployment with Microsoft 365? I have seen that its possible to use a letsencrypt certificate for an exchange server but as stated here https://docs.microsoft.com/en-us/Exchange/certificate-requirements, certificate needs to be a trusted CA.

Hi @scgsgaog

I don’t use Exchange.

But

Letsencrypt is a trusted CA. That’s the main idea using Letsencrypt certificates. Without that, they would be worthless.

1 Like

Appreciate that, just wasn’t sure if MS maintained a different list for this.

For my personal domain mail server (running Postfix with a Let’s Encrypt certificate), I use Exchange Online Protection as my spam filtering without any problems. I think EOP uses much of the same infrastructure as “Exchange Hybrid” mode, at least in terms of how your servers connect to their servers. You should be all set, especially if you can automate the deployment of renewed certificates every couple months to your mail server.

Thank you, sounds about right. Will give a go and see what happens.

Hi scgsgaog - I am running Exchange 2019 - Recently completed hybrid HCW and everything is working fine. I wrote a short blog - Check this - http://www.infotechram.com/?s=exchange+hcw

Until very recently, most mail servers did not require a SSL Certificate to be from a trusted CA - they only cared the connection was encrypted, so self-signed or non-matching certificates would work.

LetsEncrypt is a trusted CA, but the ISRG root may not be in all your client devices. You may want to use the IdenTrust “TrustID X3 Root” aka “DST Root CA X3” as the chain, which cross-signed the LetsEncrypt intermediary certificates. (See https://letsencrypt.org/certificates/ ).

tldr; LetsEncrypt Certificates should be (are) fine, but you may have more compatibility using the cross-signed root from IdenTrust instead of the ISRG root, as it’s on older devices/operating-systems.