Howto generate Exchange 2007 certificates

By default Exchange uses a self signed certificate. If you are allowing external access its best practice to use a CA signed certificate either by your own internal CA or an external 3rd party trusted CA.

So to generate yourself a signing request open an Exchange shell as admin and run the following.

New-ExchangeCertificate -GenerateRequest -SubjectName “cn=remote.domain.com.au” -IncludeAcceptedDomains -DomainName additional.domain.com.au,internal.domain.com.au -IncludeAutoDiscover -Path c:\mycert.req

To break this command down, –GenerateRequest and –SubjectName are pretty straight forward and define the primary subject for the certificate. –IncludeAcceptedDomains tells it to add any other accepted domains to the certificate, useful if you accept mail for multiple domains. –DomainName is for additional domains you wish to specify, sometimes you may have a split internal and external domain so this would be used in that instance. And –IncludeAutoDiscover is one that gets forgotten but adds the autodiscover domain name to the certificate. If you do not include your autodiscover domain or the domain of the server it is on then you may get certificate errors when launching Outlook.

So now you have your certificate request, either plug it into your internal CA to get signed or pass this on to a 3rd party to get it signed by them. You should get a certificate file back and once you do simply run the following from your admin Exchange shell.

Import-ExchangeCertificate -Path C:\certnew.cer

Next step is to tell Exchange to use the certificate. Upon importing you should get the thumbprint of the certificate. With this you can enable the certificate by running the following and substituting the thumbprint.

Enable-ExchangeCertificate -Thumbprint THUMBPRINT -Services SMTP,POP,IMAP,IIS

One gotcha that I have seen a couple of times now is that the IIS/SMTP certs don’t stick. This presents itself after a reboot when suddenly its reverted back to the original certificate. In these cases I have found it necessary to re-run the command with just IIS and SMTP like below.

Enable-ExchangeCertificate -Thumbprint THUMBPRINT -Services SMTP,IIS

And that should be it, your certificate will take affect immediately and you should be good to go.

One last note, its worth keeping in mind that your paths may vary in terms of the OWA, OAB and Autodiscover paths and you should check to ensure that these are all correct. Domain name mismatch is pretty common which can create error messages which have the potential confuse users.

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment