Since the CU12 for Exchange 2019 and the CU23 For Exchange 2016, certificates can no longer simply be requested or imported via the Exchange Admin Center. The reason for this is a change to the CMDLets "New-ExchangeCertificate", "Import-ExchangeCertificate" and "Export-ExchangeCertificate", where it is now possible to no UNC paths can no longer be used. Before CU12 and CU23, it was possible to create a certificate request and import or export an existing certificate directly in the Exchange Admin Center. This is now no longer possible directly in Exchange Admin Center:
However, a certificate request can easily be created using the Exchange Management Shell, the following command only needs to be adapted to your own environment (the apostrophe is only used as a line break for better readability):
$CSR = New-ExchangeCertificate -Server "SERVERNAME" `
-GenerateRequest `
-FriendlyName "Exchange certificate" `
-PrivateKeyExportable $true `
-SubjectName `
"c=COUNTRYCODE, `
s=FEDERAL COUNTRY, `
l=CITY, `
o=FIRMENNAME, `
ou=ORGANIZATIONAL UNIT, `
cn=ALLGEMEINER_NAME" `
-DomainName `
outlook.frankysweblab.de, `
autodiscover.frankysweblab.de `
$CSR
The command outputs the certificate request (CSR) directly to the shell:
The CSR can now be submitted to a certification authority. As soon as the certificate is available, it can be imported with the following command:
$ImportCert = Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Install\certificate.cer -Encoding byte -ReadCount 0))
Once the certificate has been imported, the Exchange services can be bound to the certificate using a shell:
Enable-ExchangeCertificate -Thumbprint $ImportCert.Thumbprint -Services POP,IMAP,SMTP,IIS
However, it is still possible to assign Exchange services via the Exchange Admin Center:
Alternatively, the certificate or a certificate including the private key (PFX file) can be imported via MMC:
After the import, the Exchange services must be bound to the new certificates. As already mentioned, this is possible via the Exchange Admin Center:
The export of the certificate including the private key is now only possible via the Exchange Management Shell, here is the new command for the export:
Get-ExchangeCertificate
$ExportCert = Export-ExchangeCertificate -Thumbprint 85AB0C0D042CA2A406A3C35DCB85FD2D99EC5B92 -BinaryEncoded -Password (convertto-securestring -string "PASSWORD" -asplaintext -force)
Set-Content -Path c:\Install\Cert.pfx -Value $ExportCert.FileData -Encoding byte
The command for importing a PFX file is as follows:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Install\cert.pfx -Encoding byte -ReadCount 0)) -Password (convertto-securestring -string "PASSWORD" -asplaintext -force)
