Many of the emails I receive are always about certificates. I have therefore created a small wizard using PowerShell that takes some of the work out of dealing with certificates. It automatically searches for the relevant DNS names, requests the certificate from a Windows CA and installs it on all Exchange 2013 servers. However, it doesn't work without a bit of manual work:
Prerequisites
The ActiveDirectory module for the PowerShell must be installed on the Exchange Server on which ExchangeCertificateAssistant is executed; the module can be installed in the Server Manager:
In order for the wizard to be able to request certificates, there must be a certificate template in addition to a certification authority. I have described how to install and configure a certification authority here:
If there is already an installed and configured certification authority, only a new template needs to be created. To do this, open the certificate template console in the MMC of the certification authority:
Die Vorlage „Webserver“ muss dupliziert werden
Define and remember the template display name in the new window under the General tab (queried by ExchangeCerttificateAssistant)
Auf dem Reiter Anforderungsverwaltung müssen die Haken bei „Vom Antragssteller zugelassene symmetrische Algorithmen einbeziehen“ und „Exportieren von privaten Schlüssel zulassen“ gesetzt werden
Auf dem Reiter Sicherheit wird die Gruppe „Exchange Trusted Subsystem“ mit den Rechten „Lesen“ und „Registrieren“ hinzugefügt
Jetzt kann mit „OK“ bestätigt werden und die Zertifikatsvorlagenkonsole geschlossen werden. Die neue Vorlage muss dann nur noch veröffentlicht werden
Once the template has been created and published, the wizard can be started from the Exchange Management Shell
Note: ExchangeCertificateAssistant requires Server 2012 R2, PowerShell 4, Exchange 2013 and the ActiveDirectory module for the Powershell. The Exchange server(s) must already be fully configured, for the configuration the Exchange Configurator be used.
Start ExchangeCertificateAssistant
.\ExchangeCertificateAssistant.ps1
The wizard asks for the template name; the template display name just assigned must be entered here
The rest should be self-explanatory. Before the certificate is issued, it is possible to add further DNS names that have not been configured in Exchange:
The certificate is then issued and bound to the Exchange services, and it is also saved under c:\Certificate on the Exchange server that executed the wizard. The password can be selected, so the certificate can be transferred to load balancers or firewalls.
Download:
Small update: The wizard also works with Exchange 2016.