Exchange Certificate Request

Exchange SSL

Sometime it is nessesary that we create an Exchange certificate request and we have do make sure that the clients have a trusted connection from outside the company.

I want to make an request with all the standard information and with mutlible domainnames in it. I use the New-ExchangeCertificate Cmdlet from Exchange PowerShell SnapIn.

New-ExchangeCertificate -GenerateRequest -RequestFile "C:\Users\adm-at\Documents\certificate.csr" -FriendlyName 'Tiedemann IT Consulting Exchange Access' -SubjectName 'cn=Tiedemann IT Consulting Exchange Access,email=hostmaster@tie....,C=DE,OU=IT,O=Tiedemann IT Consulting,Street=Bru.....,L=Bad ....,S=Schleswig-Holstein,PostalCode=2...' -DomainName,autod



The GenerateRequest switch specifies that you're creating a certificate request for a certification authority (CA). You don't need to specify a value with this switch.

This switch, together with the RequestFile parameter, generates a PKCS #10 certificate request that you send to the CA. How you send the information depends on the CA, but typically, for Base64 encoded requests, you paste the contents in an email message or in the request form on the CA's web site.

After you install the certificate from the certification authority by using the Import-ExchangeCertificate cmdlet, you use the Enable-ExchangeCertficate cmdlet to enable the certificate for Exchange services.

If you don't use this switch,thecommand creates a new self-signed certificate on the Exchange server.


The RequestFile parameter specifies the name and path of the certificate request file. The file contains the same information that's displayed on-screen when you generate a Base64 encoded certificate request (you don't use the BinaryEncoded switch).

You can use a local path if the certificate or certificate request is located on the same Exchange server where you're running the command. Otherwise, use a UNC path (\\<Server>\<Share>). If the value contains spaces, enclose the value in quotation marks (").

You can use this parameter only when you use the GenerateRequest switch.


The FriendlyName parameter specifies a friendly name for the certificate request or self-signed certificate. The value must be less than 64 characters.

The default value is Microsoft Exchange. The friendly name value is descriptive text, and doesn't affect the functionality of the certificate.


The SubjectName parameter specifies the Subject field of the certificate request or self-signed certificate.

Every certificate requires a value for the Subject field, and only one value is allowed. The requestor attempts to match the destination server name or FQDN with the common name (CN) value of subject.

This parameter uses the syntax: [C=<CountryOrRegion>,S=<StateOrProvince>,L=LocalityOrCity,O=<Organization>,OU=<Department>],CN=<HostNameOrFQDN>. Although the only required value is CN=<HostNameOrFQDN>, you should always include C=<CountryOrRegion> for certificate requests, but other values might also be required by the certification authority.

For example, if you want the certificate's subject to be in the United States, you can use any of the following values:

  • C=US,S=WA,L=Redmond,O=Contoso,OU=IT,

  • C=US,O=Contoso,

  • C=US,

If you don't use this parameter, the default value is the name of the Exchange server where you run the command (for example, CN=Mailbox01).

For a subject alternative name (SAN) certificate, you should choose one of the values from the DomainName parameter to use in the SubjectName value. In fact, the CN value that you specify for SubjectName is automatically included in the DomainName values.

For a wildcard certificate, use a SubjectName value that contains the wildcard character (*). For example, C=US,CN=*


Written by Arne Tiedemann on Sunday July 17, 2016
Permalink - Tags: Microsoft, Exchange, Certificates, Zertifikate, Request

« Date Time field csv import