Applies to: Exchange Server 2013

Topic Last Modified: 2013-01-11

Use the Export-ExchangeCertificate cmdlet to export an existing certificate from the certificate store on the local computer. You can export a certificate with its private key or a certificate request file.

Syntax

Export-ExchangeCertificate -Thumbprint <String> [-Server <ServerIdParameter>] <COMMON PARAMETERS>
Export-ExchangeCertificate [-Identity <ExchangeCertificateIdParameter>] <COMMON PARAMETERS>
COMMON PARAMETERS: [-BinaryEncoded <SwitchParameter>] [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-FileName <String>] [-Password <SecureString>] [-WhatIf [<SwitchParameter>]]

Examples

EXAMPLE 1

This example exports a certificate specified by its thumbprint, along with the private key, to a file named htcert.pfx in the certificates directory on a Hub Transport server. The exported certificate is DER-encoded. A password is required when exporting a certificate with its private key.

The following command uses the Export-ExchangeCertificate cmdlet to export certificate data to the variable $file.

Copy Code
$file = Export-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -BinaryEncoded:$true -Password (Get-Credential).password

The following command uses the Set-Content cmdlet to write data stored in the variable $file to the file htcert.pfx.

Copy Code
Set-Content -Path "c:\certificates\htcert.pfx" -Value $file.FileData -Encoding Byte

Detailed Description

The Export-ExchangeCertificate cmdlet creates either of the following files:

  • PKCS #10 file   If the thumbprint specified in the command points to a certificate request, the Export-ExchangeCertificate cmdlet creates a PKCS #10 file. A thumbprint is the digest of the certificate data. PKCS #10 is the Certification Request Syntax standard specified by RFC 2314. For more information, see PKCS #10: Certification Request Syntax.

  • PKCS #12 file   If the thumbprint specified in the command points to an actual certificate, the Export-ExchangeCertificate cmdlet creates a PKCS #12 file. PKCS #12 is the Personal Information Exchange Syntax standard specified by RSA Laboratories. For more information, see PKCS #12: Personal Information Exchange Syntax Standard.

    Important:
    When you use the Export-ExchangeCertificate cmdlet, you must export certificate data to a variable, as shown in "Examples" later in this topic, and then use the Set-Content cmdlet to write the data to a file. For more information about the Set-Content cmdlet, see Set-Content.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Certificate management" entry in the Exchange and Shell Infrastructure Permissions topic.

Parameters

Parameter Required Type Description

Thumbprint

Required

System.String

The Thumbprint parameter specifies the thumbprint of the certificate that you're exporting. Each certificate contains a thumbprint, which is the digest of the certificate data. It can be retrieved by using the Get-ExchangeCertificate cmdlet.

BinaryEncoded

Optional

System.Management.Automation.SwitchParameter

The BinaryEncoded parameter specifies how the exported file is encoded. By default, this command creates a Base64-encoded file.

To create a DER-encoded file, set this parameter to $true.

Confirm

Optional

System.Management.Automation.SwitchParameter

The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory.

FileName

Optional

System.String

The FileName parameter specifies the name of the file that will contain the exported certificate.

Identity

Optional

Microsoft.Exchange.Configuration.Tasks.ExchangeCertificateIdParameter

The Identity parameter specifies the certificate ID.

Password

Optional

System.Security.SecureString

The Password parameter specifies the password for the private key that's exported with this command. Use the Get-Credential cmdlet to store the password variable.

The Get-Credential cmdlet will prompt you for a user name and password, but only the password field is used to export or import the certificate. Therefore, you don't have to use a real domain name or user name in the Name field. For implementation details, see "Examples" later in this topic.

Server

Optional

Microsoft.Exchange.Configuration.Tasks.ServerIdParameter

The Server parameter specifies the server name from which you want to export the certificate.

WhatIf

Optional

System.Management.Automation.SwitchParameter

The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

Input Types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Return Types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.