New-ExchangeCertificate
Applies to: Exchange Server 2013
Topic Last Modified: 2012-09-18
Use the New-ExchangeCertificate cmdlet to create a self-signed certificate, renew an existing self-signed certificate, or generate a new certificate request for obtaining a certificate from a certification authority (CA).
For information about the parameter sets in the Syntax section below, see Syntax.
New-ExchangeCertificate [-BinaryEncoded <SwitchParameter>] [-GenerateRequest <SwitchParameter>] [-RequestFile <String>] <COMMON PARAMETERS>
New-ExchangeCertificate [-Services <None | IMAP | POP | UM | IIS | SMTP | Federation | UMCallRouter>] <COMMON PARAMETERS>
COMMON PARAMETERS: [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-DomainName <MultiValuedProperty>] [-Force <SwitchParameter>] [-FriendlyName <String>] [-IncludeAcceptedDomains <SwitchParameter>] [-IncludeAutoDiscover <SwitchParameter>] [-IncludeServerFQDN <SwitchParameter>] [-IncludeServerNetBIOSName <SwitchParameter>] [-Instance <X509Certificate2>] [-KeySize <Int32>] [-PrivateKeyExportable <$true | $false>] [-Server <ServerIdParameter>] [-SubjectKeyIdentifier <String>] [-SubjectName <X500DistinguishedName>] [-WhatIf [<SwitchParameter>]]
This example runs the New-ExchangeCertificate cmdlet without parameters and generates a self-signed certificate. The certificate has the fully qualified domain name (FQDN) of the local computer as the subject name. The Network Services local security group is also provided read access to the private key associated with the certificate. In addition, the certificate is published to Active Directory so that Exchange direct trust can validate the authenticity of the server for mutual TLS.
New-ExchangeCertificate
This example outputs the certificate request in Base64 format to the command-line console. You must send the certificate request to a CA within the organization, a trusted CA outside the organization, or a commercial CA. You can do this by pasting the certificate request output in an email message or in the appropriate field on the certificate request web page of the CA. You can also save the certificate request to a file using a text editor such as Notepad.
The certificate that results has the following attributes associated with it:
-
Subject name: c=<ES>,o=<Woodgrove Bank>,cn=mail1.woodgrovebank.com
-
Subject alternate names: woodgrovebank.com and example.com
-
An exportable private key
New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=Woodgrove Bank, cn=mail1.woodgrovebank.com" -DomainName woodgrovebank.com, example.com -PrivateKeyExportable $true
This example is a variation of the certificate request generated in EXAMPLE 2. Instead of manually pasting the certificate request output produced by the cmdlet, the Set-Content cmdlet is used to write the request to a file.
The certificate that results has the following attributes associated with it:
-
Subject name: c=<ES>,o=<Woodgrove Bank>,cn=mail1.woodgrovebank.com
-
Subject alternate names: woodgrovebank.com and example.com
-
An exportable private key
In the first step, the New-ExchangeCertificate cmdlet is used to generated the certificate request and save the output in a variable named $Data.
$Data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=Woodgrove Bank, cn=mail1.woodgrovebank.com" -DomainName woodgrovebank.com, example.com -PrivateKeyExportable $true
In the second step, the Set-Content cmdlet is used to write data from the variable to the certificate request file MyCertRequest.req in the Docs folder.
Set-Content -path "C:\Docs\MyCertRequest.req" -Value $Data
This example creates a DER-encoded certificate request file. The BinaryEncoded parameter is used to generate a DER-encoded certificate request. The Set-Content cmdlet is used with the Encoding parameter to write the request to a file.
The certificate that results will have the following attributes associated with it:
-
Subject name: c=ES,o=Woodgrove Bank,cn=mail1.woodgrovebank.com
-
Subject alternate names: woodgrovebank.com and example.com
-
An exportable private key
In the first step, the New-ExchangeCertificate cmdlet is used to generate the certificate request in DER-encoded format and save the output in a variable named $Data.
$Data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=ES, o=Woodgrove Bank, cn=mail1.woodgrovebank.com" -DomainName woodgrovebank.com, example.com -BinaryEncoded -PrivateKeyExportable $true
In the second step, the Set-Content cmdlet is used to write data from the variable to the certificate request file MyCertRequest.req in the Docs folder.
Set-Content -path "C:\Docs\MyCertRequest.req" -Value $Data.FileData -Encoding Byte
This example shows how to renew a self-signed certificate with a specific thumbprint value. You can obtain the thumbprint value in one of two ways.
-
Select the certificate in the Exchange Administration Center, and then select Edit to view properties of the certificate. The thumbprint value is shown in the Exchange Certificate window.
-
Run the Get-ExchangeCertificate cmdlet to return a list of all certificates installed on the server with their thumbprint values.
Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate
Microsoft Exchange Server 2013 uses certificates for SSL and TLS encryption. The New-ExchangeCertificate cmdlet uses many parameters of type SwitchParameter. For more information about how to use this parameter type, see "Switch Parameters" in Parameters.
You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Certificate management" entry in the Exchange and Shell Infrastructure Permissions topic.
