Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-18

To verify your public key infrastructure (PKI) and proxy configuration for a specific Edge Transport server, use Certutil.exe to verify the certificate chain for your Edge Transport server certificate. Certutil.exe is a command-line tool that is installed as part of Certificate Services in Microsoft Windows Server 2003 operating systems. For more information, see Certutil.

Before you can run Certutil to verify the certificate chain for a given certificate, the certificate must first be in file (.cer) format. Therefore, you must first export the certificate, but not the private keys, to the DER (.cer) file format.

The first procedure in this topic shows you how to add the Certificate Manager snap-in to Microsoft Management Console (MMC). The second procedure explains how to use the Certificate Manager to export a certificate. The third procedure shows how you can run the Certutil command to verify the certificate chain.

To perform these procedures, the account you use must be delegated the following:

For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.

To add Certificate Manager to Microsoft Management Console

  1. Click Start, click Run, type mmc, and then click OK.

  2. In the File menu, click Add/Remove Snap-in.

  3. In the Add/Remove Snap-in box, click Add.

  4. In the Available Standalone Snap-ins list, click Certificates, and then click Add.

  5. Click Computer Account, and then click Next.

  6. Click the Local computer (the computer this console is running on) option, and then click Finish.

  7. Click Close, and then click OK.

To export a certificate

  1. Open the Certificate Manager that you created in the first procedure.

  2. Open the Certificates (Local Computer) folder, the Personal folder, and then the Certificates folder.

  3. In the details pane, right-click the certificate that you will use for Domain Security, click All Task, and then select Export. The Certificate Export Wizard will open.

  4. On the Welcome page, click Next.

  5. On the Export Private Key page, select No, do not export the private key, and then click Next.

  6. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.

  7. On the File to Export page, enter the path and file name where you want to save the exported certificate, and then click Next.

  8. On the Finish page, verify the settings and then click Finish.

To verify the certificate chain for a certificate

  • On the Edge Transport server, open a Command Prompt window. Type the following command:

    Copy Code
    Certutil -verify c:\CertificateName.cer

    Where CertificateName is the Edge Transport server certificate that you exported in the previous procedure.

For More Information

For more information, see Managing Domain Security.