Exchange 2007/2010 Certificates - Simple

Exchange 2007/2010 Certificates - Simple

Microsoft has made some signifcant changes to the way we install certificates with Exchange 20007/2010. In 2003 you simple installed the certificate in IIS console and you were up with OWA securely in no time. in 2007/2010 it is a little different.

This article will focus on a simple deployment and will not take into account Unified Communications.

In Exchange 2010 we need to install what is called a Unified Communication Certificates (I know, it contradicts the above but we need it for this to work). You can get your typical web server certificate to work however you should buy a UC certificate. You can buy it from here: (there are limited places to buy UCC's).

A typical UC certificate will need to cater for 3 SAN attributes:

  1. Internal DNS name of the Exchange/OWA server
  2. External DNS name of the Exhange/OWA server
  3. autodiscover URL of your domain

Hence you will need 3 Subject Alternative Names (SAN's). So let's say our internal network was internal.local, our external domain was and our exchange server was called exch01 the SAN's will be:

  1. exch01.internal.local
  2. (assuming you wanted this to be your external DNS name, this would be your primary domain)

You will first need to create a Certificate Signing Request (CSR) to get your UC Certificate. In 2007 the command is as follows (based on above SAN's):

New-ExchangeCertificate -GenerateRequest -Path c:\exch01_external_com.csr -KeySize 2048 -SubjectName "c=au, s=My State, l=My City, o=My ORG, ou=My Dept," -DomainName, exch01.internal.local, -PrivateKeyExportable $True

In 2010 it will be as follows:

Set-Content -path "C:\exch01_external_com" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=au, s=My State, l=My City, o=My ORG, ou=My Dept," -DomainName, exch01.internal.local, -PrivateKeyExportable $True) 

In general the fields are as follows:

  • Key Size - 2048 is the minimum for UC Certificate
  • Subject Name - Typical ORG details for the certificate including the common name
  • DomainName - The SAN's we mentioned above
  • PrivateKeyExportable - If you wish to export the key later on

Provide the certificate to your CA and when you get the certificate back, the process to install it is as follows (in Exchange Management Shell):

Import-ExchangeCertificate -Path "C:\exch01_external_com.cer"
Enable-ExchangeCertificate <thumprint> -Services:"POP,SMTP,IIS,IMAP"
Press (Y) for the warning

The above can also be done as a 1 liner to avoid having to enter the thumbprint:

 Import-ExchangeCertificate -Path "C:\exch01_external_com.cer" | Enable-ExchangeCertificate -Services:"POP,SMTP,IIS,IMAP"

If you get lost and can't find your thumbprint, simply run the following command to get all your Exchange certificates:

Leave a Comment
  • Please add 1 and 1 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Page 1 of 1 (1 items)