In a previous article, we examined the process of generating a certificate request for Exchange 2019. We then submitted that request to a certificate provider. Now that the certificate provider has validated our identity and issued our certificate, we are ready to move on to the next step.
In this article, we explore how to complete our certificate request using PowerShell. This process differs from the older cumulative updates (and Exchange 2013), where it was still possible to complete a third-party certificate request through the Exchange Admin Center (GUI).
If you are still on Exchange 2013, or older versions of Exchange 2016 or Exchange 2019, consider using this article instead for the Exchange Admin Center method.
Let’s get started!
Note: It is still possible to use the Exchange Admin Center to generate and renew self-signed certificates. Self-signed certificates are out of the scope of this article.
Complete a Certificate Request with PowerShell
As mentioned earlier, newer versions of Exchange 2016 and Exchange 2019 require that third-party certificate requests be completed through PowerShell. Third-party certificate requests can no longer be requested or renewed through the Exchange Admin Center.
To start, launch the Exchange Management Shell (either from the Exchange Server or a workstation that has the Exchange Management Tools installed).
To complete our pending certificate, we need to leverage the Import-ExchangeCertificate command. In our example below, the Import-ExchangeCertificate command is leveraging the following parameters.
C:\> Import-ExchangeCertificate -FriendlyName mail.exchangeservergeek.com -FileData ([System.IO.File]::ReadAllBytes('\\EX19-01\C$\Users\<user>\Desktop\mail_exchangeservergeek_com.cer')) -PrivateKeyExportable $true
- FriendlyName is purely for display. It identifies how you want the certificate to appear in the Exchange Admin Center and PowerShell. It is beneficial to put something descriptive in this field. If you omit this field, Exchange names the certificate “Microsoft Exchange”. In our example above, we made the friendly name the same as the subject name.
- FileData is the UNC path to the certificate we downloaded from the certificate authority. In our example, we saved this to our desktop for easy access.
- PrivateKeyExportable allows you to copy this certificate to other Exchange Servers. If you have more than one Exchange Server, you need this parameter set to $true. If you omit this parameter (or set it to $false), you can only use this certificate on the Exchange Server that generated the certificate request.
To verify that our certificate is installed, you can run the Get-ExchangeCertificate command.
C:\> Get-ExchangeCertificate | Format-Table FriendlyName, Status, PrivateKeyExportable FriendlyName Status PrivateKeyExportable ------------ ------ -------------------- mail.exchangeservergeek.com Valid True Microsoft Exchange Valid False Microsoft Exchange Server Auth Cert... Valid True WMSVC-SHA2 Valid True
In our next article, we will cover assigning services to the certificate. It is only when you assign services does the certificate become live.
Here are some articles I thought you might like.
- Generate a Certificate Request for Exchange 2016 and Exchange 2019
- Assign Services to a Certificate for Exchange 2016 and Exchange 2019
- Import & Export SSL Certificates in Exchange 2016 and Exchange 2019
- Renew a Certificate in Exchange 2016 & 2019
- Generate a Certificate Request for Exchange 2013
- Complete a Certificate Request in Exchange 2013
- Assign Services to a Certificate in Exchange 2013
- Import & Export a Certificate in Exchange 2013
- Renew a Certificate in Exchange 2013