Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

To verify your public key infrastructure (PKI) and proxy configuration for a specific Edge Transport server, use Certutil.exe to verify the certificate chain for your Edge Transport server certificate. Certutil.exe is a command-line tool installed as part of Certificate Services in the Windows Server 2008 operating system. For more information, see Certutil.

Before you can run Certutil to verify the certificate chain for a specific certificate, the certificate must first be in file (.cer) format. Therefore, you must first export the certificate, but not the private keys, to the DER (.cer) file format.

The first procedure in this topic shows you how to add the Certificate Manager snap-in to the Microsoft Management Console (MMC). The second procedure explains how to use the Certificate Manager to export a certificate. The third procedure shows how you can run the Certutil command to verify the certificate chain.

Step 1: Add Certificate Manager to the Microsoft Management Console

To perform this procedure, the account you use must be delegated membership in the local Administrators group.

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in box, click Add.

  4. In the Available Snap-ins list, click Certificates, and then click Add.

  5. Click Computer Account, and then click Next.

  6. Click the Local computer (the computer this console is running on) option, and then click Finish.

  7. Click OK.

Step 2: Export the certificate

To perform this procedure, the account you use must be delegated membership in the local Administrators group.

  1. Open the Certificate Manager that you created in Step 1.

  2. Expand the Certificates (Local Computer) folder and the Personal folder, and then click the Certificates folder.

  3. In the details pane, right-click the certificate that you will use for Domain Security, click All Task, and then select Export. The Certificate Export Wizard will open.

  4. On the Welcome page, click Next.

  5. On the Export Private Key page, select No, do not export the private key, and then click Next.

  6. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.

  7. On the File to Export page, enter the path and file name where you want to save the exported certificate, and then click Next.

  8. On the Finish page, verify the settings and then click Finish.

Step 3: Verify the certificate chain for the certificate

To perform this procedure, the account you use must be delegated membership in the local Administrators group.

On the Edge Transport server, open a Command Prompt window, and type the following command.

Copy Code 
Certutil -verify c:\CertificateName.cer

In this example, CertificateName is the Edge Transport server certificate that you exported in the previous procedure.