Creating Self-Signed/Internal CA Certificates for Exchange 2007/2010

As an MSP who implements and administers Microsoft Exchange environments for an abundance of clients, I find myself doing certificate related tasks quiet often.  In most cases Exchange certificates are handled via a third-party certificate authorities however I recently had the need to generate a self-signed/internal CA Exchange certificate and figured I would write a quick post regarding the process.  In the following examples I’ll use the domain

First, from Exchange Management Shell, we need to generate the request using the cmdlet New-ExchangeCertificate.  Use ‘Get-Help New-ExchangeCertificate -full’ for additional parameters and syntax.

New-ExchangeCertificate -subjectName “” -DomainName -GenerateRequest:$True -Keysize 2048 -path c:\temp\contoso.req -privatekeyExportable:$true

Next we need to convert the certificate request to a certificate.  To do this we can use certreq.exe.

certreq.exe -submit -attrib “CertificateTemplate:WebServer” c:\temp\contoso.req

You will be prompted to select your local/domain CA and save the certificate.  Creating/configuring a CA is out of the scope of this article. See Microsoft TechNet regarding creating/configuring a CA.

Once the certificate has been created, open your local computer Personal Certificates store and import the certificate.  This is done via MMC Certificates Snap-In.


Next we need to acquire the certificates thumbprint.  This can be done using the cmdlet Get-ExchangeCertificate.



Lastly, you need to enable the certificate for the desired Exchange services using the cmdlet Enable-ExchangeCertificate.  In this example, I am only enabling it for SMTP and IIS.

Enable-ExchangeCertificate -Thumbprint <enter thumbprint here> -Services “SMTP, IIS”

Also, once the certificate expires, you can renew it using the following.

Get-ExchangeCertificate –Thumbprint <thumbprint> | New-ExchangeCertificate

It is that simple.  Be sure to view ‘get-help <command>’ and/or Microsoft TechNet for additional information on any of these commands.

Load More Posts