In April 2022
Microsoft released CU 23 for Exchange 2016 and CU 12 for Exchange 2019.
While these updates, which were much delayed, were very welcome, one of the
changes which wasn't announced was the removal of the GUI management tools for
With Exchange being heavily web based since Exchange 2010, SSL certificates
play a key part in ensuring Exchange and its clients work correctly. The GUI
controls have been in place since Exchange 2010 was released.
However the commands used for Exchange 2007 don't work, so a new set of
commands is required.
Renewing an Existing
For most people, you
will be renewing the certificate. If you don't have any changes to make to the
current certificate settings, then a simple on-liner of PowerShell will issue a
new renewal request for you to use with your preferred SSL provider to get a
new certificate - just enter the thumbprint of the current certificate in the
Get-ExchangeCertificate -Thumbprint 123456789012344567890 |
New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable:$true
get-exchangecertificate on its own to list the certificates currently installed
so that you can get the thumbprint.
However if this is a
new server installation, or you need to change the current certificate
configuration (for example to remove autodiscover.example.com as you are in
hybrid), then you will need to create a new certificate request.
Another one-liner will do this, but does need to be constructed beforehand with
the relevant information:
New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable:$true -SubjectName "c=GB,o=Test
Picking apart that
The first part is
the ISO two letter designation for your country, followed by your company name.
cn= is the common name, which is usually the name used for OWA/ActiveSync etc
as it will appear directly on the SSL certificate. In the old wizard, it would
be set to the root of the domain (example.com) but most people would change it
to mail.example.com or whatever URL they were using for OWA.
The -DomainName elements are the additional names on the certificate. If you
are supporting multiple domains with Exchange and need Autodiscover to work
directly, rather than one of the other methods, you need to include them here.
Finally is the location to place the certificate request. Unlike the first
one-liner, this requires a file share, just like it did with the wizard. As
with the old wizard, I would create a dedicated share for this process on the
Exchange server, and give everyone full control. That will ensure that Exchange
can write to it.
The -PrivateKeyExportable:$true allows the certificate to be exported for use in another server. The default is false.
Whether a new or a
renewal request, once you have the certificate issued by the SSL provider, you
need to get it in to Exchange.
Use the same share
-Server Exchange01 -FileData
Exchange01 is the server where the certificate request was generated.
Certificate for use on Other Servers
If you have multiple
servers you will need to export the certificate to a PFX file, and then import
back in again.
Once again, run
get-exchangecertificate to find the thumbprint, then put it in the below
one-liner. You will probably want to use a more secure password as well! Note
that this command exports to a local folder, not a file share.
Export-ExchangeCertificate -BinaryEncoded -Thumbprint 98765432109876543210 -Password (ConvertTo-SecureString -String 'Password123'
To import the file,
use the following command, which goes back to using a file share for the source
-Server Exchange02 -FileData
(ConvertTo-SecureString -String 'Password123' -AsPlainText -Force)
With the certificate
now installed, the final step is to enable it.
Services can be IIS,
SMTP, IMAP and POP - any combination of them.
If you choose to include SMTP and get a prompt to replace the default
certificate, then choose no.
Update May 2022
This post was originally written using a single test server, so exporting the certificate wasn't required. The commands supplied by Microsoft in their process are as used above, but the resulting certificate cannot be exported. I have updated the above commands to include the ability to export the certificate so it can be used on other servers.