Configuring Office Web Apps Server communication using HTTPS

     Hi all :

     Office Web Apps Server can communicate with SharePoint 2013, Lync Server 2013, and Exchange Server 2013 by using the HTTPS protocol. In production environments, we strongly recommend that you use HTTPS. In test environments that contain no user data, you can use HTTP for SharePoint 2013 and Exchange Server 2013 and skip the certificate requirement. Lync Server 2013 supports only HTTPS.

Certificates that are used by Office Web Apps Server must meet the following requirements:

  • The certificate must come from a trusted Certificate Authority and include the fully qualified domain name (FQDN) of your Office Web Apps Server farm in the SAN (Subject Alternative Name) field. (If the FQDN is not in the SAN when you try to use the certificate, the browser will either show security warnings or won’t process the response.)

  • The certificate must have an exportable private key. On single-server farms, this option is selected by default when you use the Internet Information Services (IIS) Manager snap-in to import the certificate.

  • The Friendly name field must be unique within the Trusted Root Certificate Authorities store. If you have multiple certificates that share a Friendly Name field, farm creation will fail because the New-OfficeWebAppsFarm cmdlet will not know which of those certificates to use.

  • The FQDN in the SAN field must not begin with an asterisk (*).

  • The certificate properties and extensions do not matter. For example, customers have asked us whether Client Enhanced Key Usage (EKU) extensions or Server EKU extensions are required. Office Web Apps Server requires no particular certificate property or extension.


     When you installed Office Web Apps Server, you need to request a valid certificate. Now I will to show how to request a OWA certificate.

     1. Logon to ADCS server, open the Certificate Template Console, right-click Web Server and click Duplicate Template :

     2. Enter a Template name , and select Allow private key to be exported :

      3. Click OK to create it, then issue this template:

     4. Logon to Office Web Apps Server, open the Certsrv website :

      5. Click Request a certificate --- advanced certificate request --- Create and submit a request to this CA --- Advanced Certificate Request page , select just created template and enter a certificate name and a Friendly Name :

         6.Click Submit>, then click Install this certificate on the Certificate Issued page:

       7. Then use New-OfficeWebAppsFarm cmdlet to create the Office Web Apps Server farm by HTTPS:

     Note : The URL that you specify for -InternalURL is the FQDN name of the server that runs Office Web Apps Server. The URL that you specify for –ExternalURLis the FQDN name that can be accessed on the Internet. You must specify the friendly name of the certificate by using the –CertificateName parameter. The –EditingEnabled parameter is optional and enables editing in Office Web Apps when it is used together with SharePoint 2013. The –EditingEnabled parameter is not used by Lync Server 2013 or Exchange Server 2013 because those hosts do not support editing.

      8. Last , access to verify that the OWA server farm was created successfully, if Office Web Apps Server works as expected, you should see a Web app Open Platform Interface (WOPI)-discovery XML file in your web browser :




         Justin Gao

         Microsoft (China)


Comments (15)
  1. Justin Gao says:

    Hi Fabian:
    When you issued new certificate template, you need to restart OS make sure you can see it.

  2. Justin Gao says:

    Hi BiggJake :
    The first question is Yes, supported. The second is OK.
    For Lync certificate more information, please refer :

  3. Justin Gao says:

    Hi Chet:
    Yes. 🙂

  4. Anonymous says:

    I am being asked if we can combine the external WAC farm fqdn on the Lync Edge server certificate (FROM external CA) as a SAN and use it on the external side of the RP for the WAC. Is this supported?
    Also, my internal cert for the internal HLB as well as the 2 WAC servers and Farm are from an internal CA, is this ok? (internal cert has the Farm FQDN as subject and the server names as SANs.

  5. Fabian Solis says:

    Hi, I’m trying to configure https for OWA, I’ve followed your “how to” but I can’t request the new certificate based on the template I’ve copied before, I can see the template on the CA but when I go to the website (certsrv) it doesn’t appear on the list, I can only see the default ones. By the way, my CA is a 2008 R2 edition. Hope you can help me solve this.

    Kind regards!

  6. Chet Chudasama says:

    Hi Justin,

    You specified that •The FQDN in the SAN field must not begin with an asterisk (*).
    Does that mean I cannot use an already owned wildcard certificate which I have also used for our SharePoint 2013 environment – eg “*” ?



  7. Virtual Assistant says:

    very nice post liked reading it got very effective information thanks for sharing details on virtual assistant visit for virtual assistant

  8. Erkko Välja says:

    Microsoft Web Apps Server 2013 now supports wildcard. * is working fine now and without problems in our deployment.

  9. Wayne Knopp says:

    Erkko Valja: How did you get the wildcard cert to work? Every time I try to setup the farm using * power shell tells me that it was "unable to find the specified certificate".

    This is the command I’m running:

    New-OfficeWebAppsFarm -InternalUrl "" -ExternalUrl "" -EditingEnabled -CertificateName *

  10. Hi Wayne,

    The -CertificateName switch needs the Friendly Name of the certificate. If you’re not sure what this is for your certificate, open the Certificates snapin in mmc (you can run certlm.msc to get there). Open Personal, then Certificates. Find your certificate,
    right click, select properties. The General tab will show the Friendly Name. You can also change the Friendly Name here.

    Make sure the Friendly Name is unique on this server. If you have multiple servers in a pool, make sure that the Friendly Name is the same across all the servers.


  11. Dmitriy says:

    Wilcard certs doesn’t work after last update for WAC 🙁

  12. lucy says:

    Great post from your hands again. I loved the complete article.
    By the way nice writing style you have. I never felt like boring while reading this article.

    I will come back & read all your posts soon. Regards, Lucy.

  13. Aloysius says:

    Hi Justin, is it correct that I point the office web app public DNS to the reverse proxy public IP address in LYNC context?


  14. Justin Gao says:

    Hi Aloysius:
    You need to use different public IP address.

Comments are closed.

Skip to main content