Managing Certificates using Exchange 2010 Management Shell

Managing Certificates using Exchange 2010 Management Shell

by Mike Pfeiffer on March 4, 2010

The syntax used with some of the Exchange Management Shell certificate cmdlets has changed in Exchange 2010. This is because Exchange Management Shell administration is done through PowerShell remoting. In this post I’ll cover how to manage certificates using Exchange Management Shell. Also keep in mind that there is a new certificate wizard in Exchange 2010 that you’ll want to become familiar with.

Generating a Certificate Request

In order to create a new certificate, you need to generate a certificate request using the New-ExchangeCertificate cmdlet. Once you have a certificate request generated, you can obtain a certificate from an internal Certificate Authority (CA) or a 3rd party external CA.

In this example, we’ll generate a request using two Subject Alternative Names (SANs). This will allow us to support multiple URLs with one certificate:

$cert = New-ExchangeCertificate -GenerateRequest -SubjectName “c=US, o=Litware, cn=mail.litware.internal” -DomainName owa.litware.internal,mail.litware.internal -PrivateKeyExportable $true

As you can see in the example, we’ve saved the output of the command in a variable called $cert. Next, export the data to a text file using the Out-File cmdlet:

$cert | Out-File c:cert.txt

After the request has been saved in the text file, submit the request to a CA to obtain the certificate.

Installing a Certificate

After you obtain a certificate from a CA, you can install it on the Exchange server. To do this, you’ll need to use the Import-ExchangeCertificate cmdlet. The syntax would look something like this:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:cert.cer -Encoding Byte -ReadCount 0))

Now that the certificate is installed, you need to enable it and assign the services that it will be used for. I’ve found that the easiest way to do this is to pipe the output from Get-ExchangeCertificate to Enable-ExchangeCertificate. For example, let’s say I just installed a certificate that contains the domain name owa.litware.internal. I would use the following command to enable this certificate and assign the IIS and SMTP services on a CAS+Hub server:

Get-ExchangeCertificate -DomainName owa.litware.internal | Enable-ExchangeCertificate -Services IIS,SMTP

Keep in mind that when you enable the SMTP service for a certificate on a hub transport server, you will be prompted to overwrite the existing self signed certificate.

Exporting a Certificate

There may be times where you need to export a certificate and install it on another server. This is done commonly on CAS servers in an RPC Client Access Array that share the same host names. In order to Export the certificates, we need to use the Export-ExchangeCertificate cmdlet. Take a look at this command:

$file = Get-ExchangeCertificate -DomainName owa.litware.internal | Export-ExchangeCertificate -BinaryEncoded:$true -Password (Get-Credential).password

What we are doing here is using the Get-ExchangeCertificate cmdlet to identify the certificate we want to export, then we pipe that to Export-ExchangeCertificate where we set a password for the certificate, and finally store the output in a $file variable.

After entering the above command, you will be prompted for a user name and password. The user name field is required, but it will not be used. You’ll need to enter some arbitrary text in the user name field, just make sure you document the password that is used so you can later import this certificate.

To create the certificate, export the contents of the variable from the above command into a file called cert.pfx:

Set-Content -Path “c:cert.pfx” -Value $file.FileData -Encoding Byte

Keep in mind that in order to export these certificates, the private keys need to be marked as exportable. As shown in the first example, make sure you set the PrivateKeyExportable parameter to $true when generating certificate requests.

Installing an Exported Certificate

After you’ve exported a certificate, you may want to install it on another server. Building on the previous example, let’s say you’ve copied the cert.pfx file to another server. You can use the Import-ExchangeCertificate cmdlet to import the certificate using the following syntax:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:cert.pfx -Encoding Byte -ReadCount 0)) -Password:(Get-Credential).password

Again, after entering this command you’ll be prompted for user name and password. Type anything you want for the user name, just make sure you enter the same password that was used when the certificate was exported.

As we saw in the previous example, after importing the certificate, it needs to be enabled and have services assigned:

Get-ExchangeCertificate -DomainName mail.litware.internal | Enable-ExchangeCertificate -Services IIS,SMTP

Again, if you assign the SMTP service to the certificate, you’ll be prompted to overwrite the default self signed certificate.

Removing Certificates

To remove a certificate, use the Remove-ExchangeCertificate cmdlet. For example, after replacing the self signed certificates, you can remove them using the following command:

Get-ExchangeCertificate | ?{$_.IsSelfSigned -eq $true} | Remove-ExchangeCertificate -Confirm:$false


Leave a Reply

Your email address will not be published. Required fields are marked *