Certificate procedures in Exchange
Applies to: Exchange Server 2016
Topic Last Modified: 2016-04-11
A summary of tasks that are associated with certificate management in Exchange 2016.
Ensuring that certificates are installed and configured correctly is key to delivering a secure messaging infrastructure for the enterprise. In Exchange Server 2016, you can manage certificates in the Exchange admin center (EAC), and in the Exchange Management Shell. Certificate management in the EAC has been improved over certificate management in the Exchange Management Console in Exchange Server 2010. Specifically, certificate management in the EAC can help administrators by:
Minimizing the number of certificates that are required.
Minimizing the interaction that's required for certificates.
Allowing the centralized installation and management of certificates on all Exchange servers in the organization.
For more information about certificates in Exchange 2016, see Digital certificates and encryption in Exchange.
The tasks that are associated with certificate management in Exchange are described in the following table.
|Task||EAC||Exchange Management Shell||Topic||Comments|
Create a new self-signed certificate on an Exchange server.
Servers > Certificates > select the server > Add > Create a self-signed certificate
You can create new self-signed certificates and configure the certificates for Exchange services in one step.
Create a new certificate request (also known as a certificate signing request or CSR) for a certification authority (CA).
Servers > Certificates > select the server > Add > Create a request for a certificate from a certification authority
New-ExchangeCertificate with the GenerateRequest switch.
The procedures are the same for an internal CA (for example, Active Directory Certificate Services) or a commercial CA.
Complete a pending certificate request on an Exchange server.
Servers > Certificates > select the server > select the certificate request > click the Complete link in the details pane.
After you receive the certificate file or files from the CA, you install them on the Exchange server.
Assign a certificate to Exchange services.
Servers > Certificates > select the server > select the certificate > Edit > Services tab.
The procedures are the same for self-signed certificates, or certificates that were issued by a CA.
For certificates issued by a CA, you can only assign the certificates to Exchange services after you complete the pending certificate request (install the certificate on the Exchange server).
Delete an existing certificate or certificate request from an Exchange server.
Servers > Certificates > select the server > select the certificate > Delete
The procedures are the same for self-signed certificates, certificate requests, or certificates issued by a CA.
Renew an existing certificate on an Exchange server.
Servers > Certificates > select the server > select the certificate > click Renew in the details pane.
Get-ExchangeCertificate and New-ExchangeCertificate
For self-signed certificates, you renew the certificate in one step.
For certificates that were issued by a CA, you create a request to renew the certificate, and send the request to the CA.
The notification viewer in the EAC displays a warning when a certificate on any Exchange server in your organization is about to expire.
Export an existing certificate or certificate request from an Exchange server.
Servers > Certificates > select the server > select the certificate > More options > Export Exchange Certificate
You can only export valid (unexpired) certificates where the PrivateKeyExportable property has the value
You can only export pending certificate requests in the Exchange Management Shell. You can't import an exported pending certificate request.
Import (install) a certificate on an Exchange server.
Servers > Certificates > select the server > More options > Import Exchange Certificate
Import a certificate that was exported from another server.
View existing certificates or certificate requests on an Exchange server, or view the details for a specific certificate or certificate request.
Servers > Certificates > select the server
For details on a specific certificate or certificate request, select the item from the list, and then click Edit .
Some certificate properties are visible in the details pane in the EAC when you select the certificate or certificate request from the list.
Some certificate properties aren't visible in the standard view in the Exchange Management Shell. To see them, you need to specify the property name (exact name or wildcard match) with the Format-Table or Format-List cmdlets. For more information, see Get-ExchangeCertificate.