Create a New Exchange Certificate

  • Article

Applies to: Exchange Server 2010

After you have installed the Client Access server role, you'll need to create a Secure Sockets Layer (SSL) certificate for the various services in your organization.

Prerequisites

The Client Access server role has been installed.

What Do You Want to Do?

  • Use the EMC to create a new Exchange certificate
  • Use the Shell to create a new Exchange certificate

Use the EMC to create a new Exchange certificate

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.

  1. In the console tree, click Server Configuration.
  2. In the action pane, click New Exchange Certificate to open the New Exchange Certificate wizard.
    • This wizard helps you determine what type of certificates you need for your Exchange organization.
  3. On the Introduction page, enter a friendly name for your certificate.
  4. On the Domain Scope page, select the Enable wildcarding for this certificate check box, and then enter a root domain if you want to apply the certificate to all subdomains automatically by creating a wildcard certificate.
  5. On the Organization and Location page, enter information about your Exchange organization. Click Browse to select a location for the certificate request file, and then enter the file name you want to use.
  6. On the Certificate Completion page, verify that all the information you have entered is correct. If it is, click New.
  7. On the Completion page, follow the steps listed to complete your request. This page also contains the cmdlet syntax necessary to create a new certificate.

Use the Shell to create a new Exchange certificate

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access server security settings" entry in the Client Access Permissions topic.

The code example below outputs the certificate request in Base64 format to the command-line console. You must send the certificate request to a certification authority (CA) within the organization, a trusted CA outside the organization, or a commercial CA. You can do this by pasting the certificate request output into an e-mail message or into the appropriate field on the certificate request Web page of the CA. You can also save the certificate request to a file using a text editor such as Notepad.

The certificate that results has the following attributes associated with it:

  • Subject name: c=<ES>,o=<Woodgrove Bank>,cn=mail1.woodgrovebank.com
  • Subject alternate names: woodgrovebank.com and example.com
  • An exportable private key
New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=Woodgrove Bank, cn=mail1.woodgrovebank.com" -DomainName woodgrovebank.com, example.com -PrivateKeyExportable