Harun’s Microsoft Blog

Exchange 2010 – Certificate request and Installation

by on Dec.13, 2009, under EXCHANGE 2010

I was installing my new Exchange 2010 farm during the weekend and I realized that the certificate installation whitepapers on the technet does not work,

 if you run the following command in the exchange shell as it is suggested on the technet:

Import-ExchangeCertificate -Path c:\certificates\filename.cer -friendlyname “Contoso CAS01″

you will get the following error:

A positional parameter cannot be found that accepts argument ‘-Path’.

+ CategoryInfo : InvalidArgument: (:) [Import-ExchangeCertificate], ParameterBindingException

+ FullyQualifiedErrorId : PositionalParameterNotFound,Import-ExchangeCertificate

and if you run the following command

New-ExchangeCertificate -generaterequest -subjectname “dc=com,dc=contoso,o=Contoso Corporation,cn=exchange.contoso.com” -domainname CAS01,CAS01.exchange.corp.constoso.com,exchange.contoso.com, ,autodiscover.contoso.com -PrivateKeyExportable:$true -path c:\certrequest_cas01.txt

as it’s also suggested on the technet you will get the following error:

A positional parameter cannot be found that accepts argument ‘-Path’.
+ CategoryInfo : InvalidArgument: (:) [New-ExchangeCertificate], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,New-ExchangeCertificate all because, it is not possible to use the -Path argument without using a pipe and Get or Set-content commands.

I have decided to write this article to help others until the samples on the technet are corrected. My examples below are tested and working.

Start the Exchange shell as administrator from the server where you want to install a certificate, type the following command to create a request file: (Don’t forget to change yourdomain.com and yourservername with your own names and addresses)

New-ExchangeCertificate -GenerateRequest -Domainname *.yourdamain.com, YOURSERVERNAME -FriendlyName YOURSERVERNAME.yourdamain.com -PrivateKeyExportable $True | Set-Content -Path c:\certrequest.txt

Send the c:\certreq.txt to your third-party CA that will issue a SAN Certificate for you, or if you want to use your own Windows CA, surf to https://yourCA/certsrv and make an advanced request to request a Web Server certificate using the text file you just created in the previous step.

After Your CA delivers a .cer file for the request that you sent in the previous step run the following command to complete the certificate request and install it at the same time:

import-exchangecertificate -FileData ([Byte[]]$(Get-Content -Path C:\temp\certnew.cer -Encoding byte -ReadCount 0))
Run the following command to see if the certificate is installed on your server
Get-ExchangeCertificate
you will see a list of certificates installed on the server, The Self-Assigned server cert is used for all exchange services as default which is also shown in the list, and you will see the new Server cert in the list, copy the thumbprint of the new cert that you just installed to use it in the next command

Thumbprint Services Subject

———- ——– ——-

BEAADCE41051CB7186A08C51E2503211CA54A22D
….. CN=owa.yourdamain.com, O=Your organization, C=se
8499BB03EDBA51F22455244C1003A749D43BBBB7 IP..S. CN=YOURSERVERNAME

enter the following command by using the new certificates Thumbprint, this will enable the certificate for the IIS and SMTP

Enable-ExchangeCertificate BEAADCE41051CB7186A08C51E2503211CA54A22D -service iis

That’s it :)

 

 


Comments are closed.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...