Managing certificates in Exchange 2010

If you are familiar with Exchange 2010 and trying to install Exchange 2010 for the first time you should have already noticed that the powershell cmdlets used to request and install certificates in Exchange 2007 no longer work in Exchange 2010.

For instance running

New-ExchangeCertificate -GenerateRequest -domainname mail.contoso.msft,autodiscover.contoso.msft,myserver,myserver.internal.contoso.msft -FriendlyName mail.contoso.msft -privatekeyexportable:$true -path c:\cert_myserver.txt

will fail with the following error

A positional parameter cannot be found that accepts argument ‘-Path’.
+ CategoryInfo : InvalidArgument: (:) [New-ExchangeCertificate], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,New-ExchangeCertificate

and running

Import-ExchangeCertificate -path "c:\CertNew.cer"

will also fail with the same error

A positional parameter cannot be found that accepts argument ‘-path’.
+ CategoryInfo : InvalidArgument: (:) [Import-ExchangeCertificate], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Import-ExchangeCertificate

So here are the commands you should use for Exchange 2010

To request a certificate

$Data = New-ExchangeCertificate –GenerateRequest -domainname mail.contoso.msft,autodiscover.contoso.msft,myserver,myserver.internal.contoso.msft -FriendlyName mail.contoso.msft -privatekeyexportable:$true

Set-Content -path "C:\MyCertRequest.req" -Value $Data

To import a .cer certificate

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\CertNew.cer -Encoding byte -ReadCount 0))

To import a .crt certificate

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\Certfile.crt  -Encoding byte -ReadCount 0))

To import a .pfx certificate

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\CertwithPriv.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

N.B.: you will be prompted for a username/password you can put anything in the user name just don’t keep it blank. The password, however, should match the password of the .pfx file.

To import .p7b certificate

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\IssuedCert.p7b -Encoding byte -ReadCount 0))

To enable the certificate
This has not changed from Exchange 2007, get first the certificate thumbprint by issuing

get-ExchangeCertificate

Then enable it by running

Enable-ExchangeCertificate thumbprintCopied -Services "IIS,POP,IMAP"

I have been working in IT consultancy and solution integration since 1998 and I consider myself lucky to be, one in a few, making a living out of my passion. I am also member of the famous Experts Exchange (profile here) online community where I try my best to share what I have learned along the road.

Posted in Messaging & Collaboration Tagged with: , , , ,
4 comments on “Managing certificates in Exchange 2010
  1. Elie M. says:

    Thank you SO much I have been looking for this!
    I am lucky to have found your site

  2. Sparksrd says:

    Hello Antoine
    Thanks for the brief and accurate information. Appreciate your information sharing.
    Sparksrd

  3. JT says:

    Its great to have found your site. I’m getting a thumbprint already exists. when trying to Import cert. Is there a parameter to overwrite / refresh the cert. I had deleted the cert from the echange console Server Hub page and have not rebooted yet. (mistakenly deleted it)

Leave a Reply

Your email address will not be published. Required fields are marked *

*