Site icon Franky's Web

Exchange 2013: Create certificate request for public CA

Frank Zöchling

Certificates from a Active Directory integrated certification authority can be easily requested via MMC. However, if you want to buy a certificate, you need a certificate request that can be submitted to the CA. Unfortunately, ECP offers few options for configuring the request and the subsequent certificate. The way via the Exchange Shell works much better. The command is a little longer, so here is a short explanation:

New-ExchangeCertificate –Server "Servername" –GenerateRequest –FriendlyName "Exchange Zertifikat" –PrivateKeyExportable $true –SubjectName "c=LÄNDERCODE, s=BUNDESLAND, l=STADT, o=FIRMA, ou=ORGANISATIONSEINHEIT, cn=ALLEGMEINERNAME" –DomainName  outlook.frankysweb.de,autodiscover.frankysweb.de –RequestFile "\\SERVERNAME\C$\Anforderung.csr"

-Friendlyname is the display name of the certificate in ECP, the name is freely selectable

-SubjectName determines the properties of the certificate:

-DomainNameAll alternative names for the certificate are entered here, as well as the general name, normally only Autodiscover and the access name for Outlook, OWA, ECP, ActiveSync etc. are required here:

-Requestfile: A share on which the request can be saved

The request can now be submitted to a CA. As soon as the certificate has been issued by the CA, the request can be completed:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificate.cer -Encoding byte -ReadCount 0))

Zum Abschluss muss das neue Zertifikat den Exchange Diensten zugewiesen werden, entweder der Thumbprint des eben hinzugefügten Zertifikats wird für das CMDlet „enable-ExchangeCertificate“ verwendet, oder es wird bequem das EAC verwendet. Hier der Weg über die Shell:

Enable-ExchangeCertificate -Thumbprint "thumbprintvonimport" -Services POP,IMAP,SMTP,IIS
Exit mobile version