How to Request a SAN Certificate for Exchange 2010
The next step is to create a certificate request from the Exchange server. You can perform this task from the Exchange Management Shell, or from the console.
For an example of the Exchange Management Console steps see the previous article here.
From the Exchange Management Shell use the New-ExchangeCertificate cmdlet to generate a certificate request. In this example I am requesting a certificate with the following attributes:
- A friendly name of “Exchange 2010 Certificate”
- The server’s FQDN
- The alternative names of mail.exchangeserverpro.net, autodiscover.exchangeserverpro.net, and webmail.exchangeserverpro.net
I’m also using -GenerateRequest to create a certificate request rather than simply creating a self-signed certificate.
[PS] C:\>New-ExchangeCertificate -FriendlyName "Exchange 2010 Certificate" -IncludeServerFQDN -DomainName mail.exchangeserverpro.net,autodiscover.exchangeserverpro.net,webmail.exchangeserverpro.net -GenerateRequest -PrivateKeyExportable $true
The command will output a certificate request that looks similar to this.
-----BEGIN NEW CERTIFICATE REQUEST----- MIIEPDCCAyQCAQAwJTEjMCEGA1UEAwwabWFpbC5leGNoYW5nZXNlcnZlcnByby5u ZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnbhSAM0y26udUo/+8 yvufXrv0AcuzcLYc/9wxNjgOZjmkQUqXEvrxXXrIzCciWL1KDTYjJyVXNkjqCsB3 8tdLWS7tLR/OLj0Px7bsUkTuJKl95DeYGJwxginMjvVKrdxMkPJloWY6i+5ZzHfs jhK0+bboyaoQMopwnya7AK0H5AfSDUd+hFzbgpX8hdj7hkMVwCS257/fsNkoJbxA xC7C9Yk06onHypefiz+uTubNULjKBKdtJiyesj6hakyG1tFddsvv6yqwjtAefyVZ vYWbkSJiXTwALuOrePlt3wGa12ZxqYwl2Mf98gdb2fTq2M6TosPE0PIxoDZvBzV2 IHZxAgMBAAGgggHQMBoGCisGAQQBgjcNAgMxDBYKNi4xLjc2MDAuMjBlBgkrBgEE AYI3FRQxWDBWAgEFDBtFWDMuZXhjaGFuZ2VzZXJ2ZXJwcm8ubG9jYWwMEEVYQ0hT RVJWUFJPXEVYMyQMIk1pY3Jvc29mdC5FeGNoYW5nZS5TZXJ2aWNlSG9zdC5leGUw cgYKKwYBBAGCNw0CAjFkMGICAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBB ACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAg /wQEAwIFoDCBhQYDVR0RBH4wfIIabWFpbC5leGNoYW5nZXNlcnZlcnByby5uZXSC ImF1dG9kaXNjb3Zlci5leGNoYW5nZXNlcnZlcnByby5uZXSCHXdlYm1haWwuZXhj aGFuZ2VzZXJ2ZXJwcm8ubmV0ghtFWDMuZXhjaGFuZ2VzZXJ2ZXJwcm8ubG9jYWww DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUbaUvsgyyRXS0lEHebbnvEqpd7VwwDQYJ KoZIhvcNAQEFBQADggEBAEQ5GtxZGMf3rw+gGuIj+A8exB7bM2aSg9Z9X6RyNtHX 3iuCHPEOUdkZFSTR3CWoMal1FcH/r1yzCPXKTWDtyMIzi4tiHA/+V2nXALhH6Fbv c8G0l47iIGlbvuBkBDTxhmLubXgXGAp1dRfwRXd1Vqy0eDe/0LxlUAwq+Kb/RRLw UaUf3eVrbQUpWNqEmLcorp3mpwnoqAB+GhP+j0ERCquP629xdlHS2yz3fNfn4xGU Sv/i5FLUf6WmVJu+kjQ50wlh5nE+XiwQmsta0MNUnqIXu9dDXnOpx+VdmuKdEXlh /zAHMofanelZ/UUBv7mdwMG3E5U17nJ/VoiIAZAygg0= -----END NEW CERTIFICATE REQUEST-----
Copy the output to your clipboard for the next steps.
Open your web browser and navigate to the web enrollment URL of your Certificate Services server (eg http://ca-server/certsrv). Click on Request a Certificate. Note if you are running a Windows Server 2003 CA you may need an update to the web enrollment pages before you can proceed any further.
Choose Advanced Certificate Request.
Choose to Submit a Certificate request…, because we’ve already generated the request on the Exchange server earlier.
Paste the generated certificate request data into the form, and choose Web Server as the certificate template. Click Submit to continue.
When the certificate has been issued download the certificate file to your Exchange server.
Completing a Pending Certificate Request for Exchange Server 2010
The certificate has been issued and downloaded, and now the pending certificate request needs to be completed for Exchange Server 2010.
Launch the Exchange Management Console, navigate to Server Management, and choose the server that you imported the certificate to. Right-click the new certificate and choose Complete Pending Request.
Browse and select the certificate file that was downloaded, and the continue to complete the wizard.
The certificate has now been installed and is ready to be assigned to Exchange services.
If you encounter an error message stating that “The certificate is invalid for exchange server usage” then see this article for the solution.
