Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-08-25

Microsoft Exchange Server 2010 creates a self-signed certificate during installation that uses all the server and domain names that are known to Exchange at the time of installation. These certificates are valid for 12 months. In some cases, it may make sense to clone these certificates if the Subject and Subject Alternative Names can be used for other computers. Be aware that only the certificate metadata and not the key sets are cloned.

Looking for other management tasks related to certificates? See Certificates.

Use the Shell to clone an existing certificate

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Certificate management" entry in the Transport Permissions topic.

Note:
You can't use the EMC to clone an existing certificate.

To clone a new certificate from an existing certificate, you must first identify the current default certificate for the domain by using the Get-ExchangeCertificate cmdlet. The following example clones the self-signed Exchange certificate for the FQDN mail1.contoso.com. It first retrieves the certificates for mail1.contoso.com, and then filters the result for the self-signed certificate, and finally pipelines that result to the New-ExchangeCertificate cmdlet to clone a new certificate.

Copy Code
Get-ExchangeCertificate -DomainName mail1.contoso.com | Where {$_.IsSelfSigned -eq $true} | New-ExchangeCertificate

After you run this command, the Shell displays a prompt asking you if you want to overwrite the existing default SMTP certificate. Click N to clone the certificate without overwriting the default SMTP certificate.

The example above assumes that there is only a single self-signed Exchange certificate in your deployment, which is the case in a typical installation. However, if you have multiple self-signed certificates in your organization, you should first run the Get-ExchangeCertificate cmdlet and then use the thumbprint of the specific certificate you want to clone. The following example shows how to clone an existing certificate in this manner, assuming that the thumbprint value for the certificate you want to clone is c4248cd7065c87cb942d60f7293feb7d533a4afc. The first result of running Get-ExchangeCertificate is used to display the details of the self-signed certificates installed so you can determine which thumbprint to use.

Copy Code
Get-ExchangeCertificate -DomainName mail1.contoso.com | Where {$_.IsSelfSigned -eq $true} | Format-List CertificateDomains,Services,Subject,Thumbprint
Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate

For detailed syntax and parameter information, see Get-ExchangeCertificate and New-ExchangeCertificate.