Issuing a certificate to Exchange 2010 using an Internal Certificate Authority (CA)

Scenario

You’ve installed Active Directory Certificate Services and need to issue a certificate to Exchange 2010.

Solution

  1. Open the Exchange Management Shell (EMS) and run the following command to generate a certificate request:
    New-ExchangeCertificate -FriendlyName "Exchange 2010 Certificate" -IncludeServerFQDN -DomainName mail.domain.co.uk,autodiscover.domain.co.uk -GenerateRequest -PrivateKeyExportable $true
  2. The request will look like this:
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIID+BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH-BLAH
    RXhjaGFuZ2UuU2VydmljZUhvc3QuZXhlMHIGCisGAQQBgjcNAgIxZDBiAgEBHloA
    TQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMA
    cgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIDAQAwgasG
    CSqGSIb3DQEJDjGBnTCBmjAOBgNVHQ8BAf8EBAMCBaAwWwYDVR0RBFQwUoIPbWFp
    bC5tdXJvLmNvLnVrghJ3c21leDAyLm11cm8ubG9jYWyCF2F1dG9kaXNjb3Zlci5t
    dXJvLmNvLnVrghJXU01FWDAyLm11cm8ubG9jYWwwDAYDVR0TAQH/BAIwADAdBgNV
    HQ4EFgQUD8AsFUt7MLTnL/5rM3ngbsjkGxEwDQYJKoZIhvcNAQEFBQADggEBAEbn
    1TXBOKUWjhO1MhphjSXrDq+dP/Q7Jyu3B1xPIFWdhc6qzLNedJIrZpfA9W3Y87hD
    GhvUnJqmtwrdb6kktaPbv1mLEHpWj/5gOlZ+e97yvMD1c5evkTT2nVNFI89VuKir
    Ux2nE3e9yzUaWlQxpXOsLZjO4KRUQm43ZqjRw2GikthU6lG/BLtwXuxD2tPICzll
    SOtws7Z7QlXj83kMd0ilh4FYewrwuMsv35uNkil0fFCImyZ80Ivp3XA3VVcU9WhF
    CNy18hxqbqkz3zRjVFK4IsEczoLxnxQ3HdVUcaR4wRaOmXmeZhuv4pJs3dUlivEE
    V2qP2kCurg88RCm2UiA=
    -----END NEW CERTIFICATE REQUEST-----
  3. Open a browser and navigate to your Root CA. The default URL is http:///certsrv, but I had to append /en-us (http:///certsrv/en-us) to view the welcome page:
  4. Click Request a certificate.
  5. Click advanced certificate request:
  6. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file:
  7. Paste the certificate request text (from step 2) into the Saved Request field, select Web Server from the Certificate Template drop-down menu, click Submit:
  8. Select Base 64 encoded, then click Download certificate:
  9. Open Exchange Management Console > Server Configuration > Select your server.
  10. Right-click the new certificate and select Complete Pending Request:
  11. Browse to the downloaded certificate, then click Complete:
  12.  Once completed, click Finish:
  13. Right-click the new certificate and select Assign Services to Certificate:
  14.  Select your server, click Next:
  15. Select the required services, click Next:
  16.  Click Assign:
  17.  Click Yes to All if this warning appears:
  18.  Once completed, click Finish:
  19. Job done!

Comments

  1. Faisal khan says

    Many thanks for such a helpful notes and it helped me out so quickly. loved it. Thanks again

  2. I use this year after year as a reference to renewing my certificates. Thanks!