Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Generating Exchange 2010 Certificates (Exchange Management Shell)

As you probably know, Exchange 2007 certificate management was done in powershell.  Luckily we have some tools available to help us with the creation of these Powershell Commandlets to generate certificates.

Exchange 2010 not only allows you to manage certificates via Powershell but also via the GUI
See the following article for Certificates via the GUI


This article discusses the differences in Powershell Certificate Creation Exchange 2007 vs Exchange 2010

Digicert has a great tool for generating the powershell script required to generate a Certificate



Let’s create a certificate in Exchange 2010 Exchange Management Shell


A positional parameter cannot be found that accepts argument '-Path'.
    + CategoryInfo          : InvalidArgument: (:) [New-ExchangeCertificate], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,New-ExchangeCertificate

The Powershell command fails! What is happening?

Well, the parameters for New-ExchangeCertificate have changed.  The “-Path” parameter has been removed from the parameter list.
Check the Technet page : New-ExchangeCertificate (Exchange 2010 Help)

Now Digicert has a new Exchange 2010 CSR Command Wizard




Let’s run this new Command in the Exchange 2010 Command Shell



That works fine but we have no file that is created.  Now we could copy & paste the certificate information from the prompt into a text file and hope that formatting is OK.
The Exchange 2010 New-Certificate help on Technet explains that we have to do this in two steps.  First a certificate must be created (like the screenshot) and then this information must be saved into a file.

So Let’s do this:

First we need to create the Certificate and save the information into a variable ($Data in this case)
$Data = New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=BE, s=Brussels, l=Brussels, o=Johan Delimon, ou=Pro-Exchange," -DomainName,, -PrivateKeyExportable $True

Then we must save this content to a file:
Set-Content -path "c:\www_pro-exchange_be.req" -Value $Data


The same result can be accomplished from a single command like this:
Set-Content -path "c:\www_pro-exchange_be.req" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=BE, s=Brussels, l=Brussels, o=Johan Delimon, ou=Pro-Exchange," -DomainName,, -PrivateKeyExportable $True)


Importing Certificates is quite similar and has also a two step approach

Check the Technet page : Import-ExchangeCertificate (Exchange 2010 Help)

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\www_pro-exchange_be.cer -Encoding byte -ReadCount 0))

Posted 10-23-2009 7:15 by Johan Delimon