As an MSP who implements and administers Microsoft Exchange environments for an abundance of clients, I find myself doing certificate related tasks quiet often. In most cases Exchange certificates are handled via a third-party certificate authorities however I recently had the need to generate a self-signed/internal CA Exchange certificate and figured I would write a quick post regarding the process. In the following examples I’ll use the domain contoso.com.
First, from Exchange Management Shell, we need to generate the request using the cmdlet New-ExchangeCertificate. Use ‘Get-Help New-ExchangeCertificate -full’ for additional parameters and syntax.
New-ExchangeCertificate -subjectName “CN=contoso.com” -DomainName contoso.com -GenerateRequest:$True -Keysize 2048 -path c:\temp\contoso.req -privatekeyExportable:$true
Next we need to convert the certificate request to a certificate. To do this we can use certreq.exe.
certreq.exe -submit -attrib “CertificateTemplate:WebServer” c:\temp\contoso.req
You will be prompted to select your local/domain CA and save the certificate. Creating/configuring a CA is out of the scope of this article. See Microsoft TechNet regarding creating/configuring a CA.
Once the certificate has been created, open your local computer Personal Certificates store and import the certificate. This is done via MMC Certificates Snap-In.
Next we need to acquire the certificates thumbprint. This can be done using the cmdlet Get-ExchangeCertificate.
Lastly, you need to enable the certificate for the desired Exchange services using the cmdlet Enable-ExchangeCertificate. In this example, I am only enabling it for SMTP and IIS.
Enable-ExchangeCertificate -Thumbprint <enter thumbprint here> -Services “SMTP, IIS”
Also, once the certificate expires, you can renew it using the following.
Get-ExchangeCertificate –Thumbprint <thumbprint> | New-ExchangeCertificate
It is that simple. Be sure to view ‘get-help <command>’ and/or Microsoft TechNet for additional information on any of these commands.