Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Generating Exchange 2010 Certificates (Exchange Management Shell)

As you probably know, Exchange 2007 certificate management was done in powershell.  Luckily we have some tools available to help us with the creation of these Powershell Commandlets to generate certificates.

Exchange 2010 not only allows you to manage certificates via Powershell but also via the GUI
See the following article for Certificates via the GUI
http://www.pro-exchange.be/blogs/exchange2010/archive/2009/05/04/finally-managing-exchange-certificates-using-the-gui.aspx

 

This article discusses the differences in Powershell Certificate Creation Exchange 2007 vs Exchange 2010

Digicert has a great tool for generating the powershell script required to generate a Certificate
https://www.digicert.com/easy-csr/exchange2007.htm

 

New-ExchangeCertificate.11

Let’s create a certificate in Exchange 2010 Exchange Management Shell

New-ExchangeCertificate.1  

A positional parameter cannot be found that accepts argument '-Path'.
    + CategoryInfo          : InvalidArgument: (:) [New-ExchangeCertificate], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,New-ExchangeCertificate

The Powershell command fails! What is happening?

Well, the parameters for New-ExchangeCertificate have changed.  The “-Path” parameter has been removed from the parameter list.
Check the Technet page : New-ExchangeCertificate (Exchange 2010 Help)
http://technet.microsoft.com/en-us/library/aa998327(EXCHG.140).aspx

Now Digicert has a new Exchange 2010 CSR Command Wizard
https://www.digicert.com/easy-csr/exchange2010.htm

 

New-ExchangeCertificate.21

 

Let’s run this new Command in the Exchange 2010 Command Shell

New-ExchangeCertificate.2

 

That works fine but we have no file that is created.  Now we could copy & paste the certificate information from the prompt into a text file and hope that formatting is OK.
The Exchange 2010 New-Certificate help on Technet explains that we have to do this in two steps.  First a certificate must be created (like the screenshot) and then this information must be saved into a file.

So Let’s do this:

First we need to create the Certificate and save the information into a variable ($Data in this case)
$Data = New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=BE, s=Brussels, l=Brussels, o=Johan Delimon, ou=Pro-Exchange, cn=www.pro-exchange.be" -DomainName www.pro-exchange.be, mail.pro-exchange.be, autodiscover.pro-exchange.be -PrivateKeyExportable $True

Then we must save this content to a file:
Set-Content -path "c:\www_pro-exchange_be.req" -Value $Data

 

The same result can be accomplished from a single command like this:
Set-Content -path "c:\www_pro-exchange_be.req" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=BE, s=Brussels, l=Brussels, o=Johan Delimon, ou=Pro-Exchange, cn=www.pro-exchange.be" -DomainName www.pro-exchange.be, mail.pro-exchange.be, autodiscover.pro-exchange.be -PrivateKeyExportable $True)

 

Importing Certificates is quite similar and has also a two step approach

Check the Technet page : Import-ExchangeCertificate (Exchange 2010 Help)
http://technet.microsoft.com/en-us/library/bb124424(EXCHG.140).aspx

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\www_pro-exchange_be.cer -Encoding byte -ReadCount 0))


Posted 10-23-2009 7:15 by Johan Delimon