Date created: 01/02/11 01:02:12. Last modified: 12/13/12 11:41:20

Exchange Certificate

To install/renew a certificate under Exchange 2007 with a new one, start by importing the new certificate file (assuming you are using a certificate from a trusted CA for public facing servers and not generating a new one);

>Import-ExchangeCertificate -Path "C:\mycert.cer"

View installed certificates on the exchange server (the new cert below is listed with 'W', meaning its installed for IIS already. The cert was installed in IIS first for SSL access required by OWA, but I want to use the cert for the other services also);

>Get-ExchangeCertificate

Thumbprint                         Services   Subject
----------                            --------   -------
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890  ...W.      CN=exchsrv.fqdn NEW CERT
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ  ....S      CN=exchsrv.fqdn OLD CERT
12ABCDEFG345HIJKLMNOPQRS67890TUVWXYZ  IP..S      CN=exchsrv SELF 'GENED CERT

Now we must enable the cert for the services I wish to have SSL enabled on

>Enable-ExchangeCertificate -Thumbprint ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 -Services IMAP,POP,SMTP


Overwrite existing default SMTP certificate, '12ABCDEFG345HIJKLMNOPQRS67890TUVWXYZ' (expires 4/12/2011 7:20:06 AM), with certificate 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890' (expires 9/28/20114:44:26 PM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):Y

Verify the cert was enabled for the services I desired;

>Get-ExchangeCertificate

Thumbprint                            Services   Subject
----------                            --------   -------
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890  IP.WS      CN=exchsrv.fqdn NEW CERT
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ  ....S      CN=exchsrv.fqdn OLD CERT
12ABCDEFG345HIJKLMNOPQRS67890TUVWXYZ  ....S      CN=exchsrv SELF 'GENED CERT

Old certificates can be removed with;

>Remove-ExchangeCertificate -Thumbprint 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ