Requesting a new exchange 2007 SSL certificate in powershell.

For Exchange Server 2007 functions such as autodiscovery, and client access roles ( OWA & Outlook anywhere) a SSL certificate is required to secure data transfer between the exchange server and client.

It is best practice to ensure that all external access is secured using a certificate issued from a public certificate authority.

This is normally installed on the exchange client access server role , or an ISA server if the solution is being secured using that firewall solution.

To generate a certificate request file for the certificate authority the following powershell command can be used on the exchange server;

New-ExchangeCertificate –generaterequest –subjectname “O=<company name>, OU=<company dept>, C=<country code>, S=<area>, L=<city>, CN=<common name>” –privatekeyexportable:1 -keysize 1024 –path c:\certifcaterequest.txt

Key

• O – Organisation Name (legal name of company)
• OU – Organisational Unit (i.e. Department)
• CN – Common Name (i.e. domain.com)
• C- Country
• ST – State
• L – Location

This command will request a new certificate and save the contents in a text file – certifcaterequest.txt

This file can then be provided to the certificate provider to issue the appropriate certificate.

Note: For exchange 2007, a multi-site certificate is required to fully utilise functionality, this covers the internal and external server references and the auto discover address, ie.

• email.domain.com
• autodiscovery.domain.com
• exchangesvr.domain.local

Once the certificate authority provides the certificate, it can be imported using the following powershell command

Import-ExchangeCertificate -Path “C:\Certificate.cer”

NB: It is is possible to use self-signed certificates within exchange 2007, this maybe acceptable for internal use, however public facing access should always be secured using a 3rd party signed certificate.