Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-02-01

Microsoft Exchange Server 2010 creates a self-signed certificate during installation that uses all the server and domain names known to Exchange at the time of installation. However, you can also use certificates signed by a certification authority (CA). If you are using a CA to generate certificates, you must provide a certificate request according to that CA's requirements.

To generate a certificate request, you can use the New-ExchangeCertificate cmdlet with the GenerateRequest parameter. You can then save the request in a file using the Set-Content cmdlet. The resulting file will be a PKCS #10 request (.req) file. PKCS #10 is the Certification Request Syntax Standard specified by RFC 2314. (For details, see http://www.ietf.org/rfc/rfc2314.txt.)

Looking for other management tasks related to certificates? Check out Certificates.

Prerequisites

You must contact your CA to determine its requirements for new certificate requests.

Use the Shell to generate a certificate request from a CA

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Certificate management" entry in the Transport Permissions topic.

Note:
For instructions on using the Exchange Management Shell to generate a certificate request, see Create a New Exchange Certificate.

This example generates a certificate request for the Contoso server, mail1. The common name (CN) of the Subject Name contains the fully qualified domain name (FQDN) of the server and the Subject Alternative Name contains all the accepted domains for Contoso.

Copy Code
$Data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=us, o=contoso corp, cn=mail1.contoso.com" -IncludeAcceptedDomains
Set-Content -Path "c:\Certificates\mail1.contoso.com.req" -Value $Data

This example generates a certificate request for the Contoso server, mail1. The certificate request is similar to the preceding example, but the certificate request is saved as a DER-encoded certificate request file.

Copy Code
$Data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=us, o=contoso corp, cn=mail1.contoso.com" -IncludeAcceptedDomains
Set-Content -Path "c:\Certificates\mail1.contoso.com.req" -Value $Data.FileData -Encoding Byte

This example creates a certificate request from an existing Contoso.com certificate.

Copy Code
$Data = Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate -GenerateRequest -SubjectName "C=us, O=contoso corp, CN=mail1.contoso.com" 
Set-Content -Path "c:\ certificates\mail1.contoso.com.req" -Value $Data

This example creates a certificate request with a wildcard character for all Contoso.com subdomains.

Copy Code
$Data = New-ExchangeCertificate -GenerateRequest -SubjectName "C=us, O=contoso corp, CN=mail1.contoso.com" -DomainName *.contoso.com
Set-Content -Path "c:\certificates\mail1.contoso.com.req" -Value $Data

For detailed syntax and parameter information, see New-ExchangeCertificate.

Other Tasks

After you generate the certificate request, you may also want to install the certificate issued by the CA in your organization. For detailed steps, see Install Certificates Issued for Certificate Requests.