Creating Self-Signed/Internal CA Certificates for Exchange 2007/2010

By | 2017-01-24T09:54:31+00:00 September 29th, 2014|IT Services|

As an MSP who implements and administers Microsoft Exchange environments for an abundance of clients, I find myself doing certificate related tasks quiet often.  In most cases Exchange certificates are handled via a third-party certificate authorities however I recently had the need to generate a self-signed/internal CA Exchange certificate and figured I would write a quick post regarding the process.  In the following examples I’ll use the domain contoso.com.

First, from Exchange Management Shell, we need to generate the request using the cmdlet New-ExchangeCertificate.  Use ‘Get-Help New-ExchangeCertificate -full’ for additional parameters and syntax.

New-ExchangeCertificate -subjectName “CN=contoso.com” -DomainName contoso.com -GenerateRequest:$True -Keysize 2048 -path c:\temp\contoso.req -privatekeyExportable:$true

Next we need to convert the certificate request to a certificate.  To do this we can use certreq.exe.

certreq.exe -submit -attrib “CertificateTemplate:WebServer” c:\temp\contoso.req

You will be prompted to select your local/domain CA and save the certificate.  Creating/configuring a CA is out of the scope of this article. See Microsoft TechNet regarding creating/configuring a CA.

Once the certificate has been created, open your local computer Personal Certificates store and import the certificate.  This is done via MMC Certificates Snap-In.

MMC

Next we need to acquire the certificates thumbprint.  This can be done using the cmdlet Get-ExchangeCertificate.

Get-ExchangeCertificate

Get-ExchangeCertificate

Lastly, you need to enable the certificate for the desired Exchange services using the cmdlet Enable-ExchangeCertificate.  In this example, I am only enabling it for SMTP and IIS.

Enable-ExchangeCertificate -Thumbprint <enter thumbprint here> -Services “SMTP, IIS”

Also, once the certificate expires, you can renew it using the following.

Get-ExchangeCertificate –Thumbprint <thumbprint> | New-ExchangeCertificate

It is that simple.  Be sure to view ‘get-help <command>’ and/or Microsoft TechNet for additional information on any of these commands.

About the Author:

Mike Ratcliffe
Mike Ratcliffe is a hard working, self motivated system administrator who adapts quickly to new technology, concepts and environments. With over a decade of experience in information technology and having held numerous titles and responsibilities throughout his career, he currently focuses on system administration of Microsoft Active Directory and related technologies, Microsoft Exchange as well as VMware virtualization.