The Exchange 2007 Wiki

Menu

Getting Started
Programming Exchange
PowerShell Scripts

Organization Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Server Node
  - Mailbox
  - Client Access
  - Hub Transport
  - Unified Messaging
Edge Transport
Recipient Management
Tips and Tricks
FAQs
  - Definitions
  - Ask a Question

Site Index
Home


Wall of Fame
Syndication
Feedback

The content on this site is provided "AS IS" with no warranties, and confers no rights.

New-ExchangeCertificate

MSFT Synopsis:

Use the New-ExchangeCertificate cmdlet to create a new self-signed certificate or a new certificate request for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services.
There are many variables that you must consider when configuring certificates for SSL and TLS services. You must understand how these variables may affect your overall configuration. Before you continue, read How to Create a Certificate or Certificate Request for SSL/TLS.

When to Use:

The Primary use of this cmdlet should be the creation of a certificate request to be submitted to a certificate authority for the issuance of a new Certificate.

Gotchas:

When using new-exchangecertificate to generate the certificate request you should always use [[import-exchangecertificate import-exchangecertificate]] once you get the certificate back from the authority.

Also, please validate that your certificate vendor supports the Subject Alternative Name property set.  Many of the certificate vendors do not currently support this (requiring you to instead purchase multiple certificates or a wildcard certificate).

 

Certificate Vendor   SAN Support
 Entrust  Yes - look for the Unified Communication Certificate (UCC) on their website
 Thawte  Does not support SAN certs, does support wildcard certs
 Verisign  Does support SAN certs but requires an Enterprise Agreement to provision SAN certs
 DigiCert  Yes, look for UCC on their site.  Supports wildcard certs also

 

Role:

This command applies to the following Exchange Roles.

Permissions:

The following permissions are required when you run this command.

Subject Alternative Name

When creating a certificate that uses the Subject Alternative Name property set, you need to validate that your certificate vendor supports the SAN property set.  Currently Versign supports SAN property sets (but requires an Enterprise Agreement), Thawte does not (as of 4/16/2007), and Entrust does.  Entrust has a special section on their site for Unified Communication Certificates (can be used for Exchange 2007 or OCS 2007).  Search for UCC certificates.

Also, when specifying the -SubjectName parameter on the request you will need to specify the country code and organization as well. For example, for the company Contoso in the USA the -SubjectName parameter would look like:

-SubjectName "c=US, o=Contoso, cn=mail1.contoso.com"

And for the company Fabrikam in the UK the request would look like:

-SubjectName "c=GB, o=Fabrikam, cn=mail32.fabrikam.com"

{Note - the UK is represented by the two character country code GB when requesting certificates}. 

Examples:

MSFT:

 

Description:  Create a request file for a Subject Alternative Name Certificate (the Alternate names would be woodgrove.com and Example.com)
Command: New-ExchangeCertificate -GenerateRequest -Path c:\certificates\request.req -SubjectName "c=ES, o=Diversión de Bicicleta, cn=mail1.DiversiondeBicicleta.com" -DomainName woodgrove.com, example.com -PrivateKeyExportable $true

 

Addtional:

 

   
   

 

Links:

Creating a Certificate or Certificate Request for TLS
http://technet.microsoft.com/en-us/library/72048bc1-6d01-4279-8d21-4282b86b522c.aspx

New-ExchangeCertificate
http://technet.microsoft.com/en-us/library/5e0b61b0-ece6-4d9b-949a-f6a032dd0fb9.aspx

Site

Changes
Index
Search

 

User

 

Log In
Register

 
 

Last Modified 9/17/07 7:28 PM