Get-ExchangeCertificate

 

Applies to: Exchange Server 2016

This cmdlet is available only in on-premises Exchange Server 2016.

Use the Get-ExchangeCertificate cmdlet to view Exchange certificates that are installed on Exchange servers. This cmdlet returns Exchange self-signed certificates, certificates that were issued by a certification authority, and pending certificate requests (also known as certificate signing requests or CSRs).

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Get-ExchangeCertificate [-Server <ServerIdParameter>] [-Thumbprint <String>] <COMMON PARAMETERS>

Get-ExchangeCertificate [-Identity <ExchangeCertificateIdParameter>] <COMMON PARAMETERS>

Get-ExchangeCertificate [-Instance <X509Certificate2>] [-Server <ServerIdParameter>] <COMMON PARAMETERS>

COMMON PARAMETERS: [-DomainController <Fqdn>] [-DomainName <MultiValuedProperty>]

This example returns a summary list of all Exchange certificates and pending certificate requests on the server named Mailbox01.

Get-ExchangeCertificate -Server Mailbox01

This example returns detailed information for the specified certificate.

Get-ExchangeCertificate -Thumbprint 0271A7F1CA9AD8A27152CCAE044F968F068B14B8 | Format-List

This example returns all available information for the specified certificate.

Get-ExchangeCertificate -Thumbprint 0271A7F1CA9AD8A27152CCAE044F968F068B14B8 | Format-List *

This example shows which certificate Exchange will select for the domain name mail.contoso.com. A Send connector or Receive connector selects the certificate to use based on the fully qualified domain name (FQDN) of the connector. If you have multiple certificates with the same FQDN, you can see which certificate Exchange will select by using the DomainName parameter to specify the FQDN. The first certificate returned is the certificate that Exchange will select.

Get-ExchangeCertificate -DomainName mail.contoso.com

By default, this cmdlet returns the following certificate properties in the summary list view:

  • Thumbprint   The unique digest of the certificate data. An example thumbprint value is 78E1BE82F683EE6D8CB9B9266FC1185AE0890C41.

  • Services   The Exchange services that the certificate is assigned to by using the Enable-ExchangeCertificate cmdlet. Values are:

    None   You'll see this value in certificates that aren't used with Exchange. For example, the WMSvc-<ServerName> certificate that's used for the IIS Web Management Service.

    Federation

    IIS

    IMAP

    POP

    SMTP

    UM

    UMCallRouter

  • Subject   Contains the X.500 value in the certificate's Subject Name field. The important part is the CN= value.

If you append | Format-List to the command, the cmdlet returns these additional certificate properties:

  • AccessRules   The host names or FQDNs in the certificate's Subject Alternative Name field.

  • CertificateDomains   The host names or FQDNs in the certificate's Subject Alternative Name field.

  • HasPrivateKey   Whether or not the certificate contains a private key.

  • IsSelfSigned   Whether or not the certificate is self-signed (not issued by a certification authority).

  • Issuer   Who issued the certificate.

  • NotAfter   The certificate expiration date.

  • NotBefore   The certificate issue date.

  • PublicKeySize   The size of the public key in bytes.

  • RootCAType   The type of CA that signed the certificate. Values are:

    None   This value is found on the Microsoft Exchange Server Auth Certificate, and also new self-signed certificates that you create.

    ThirdParty

    Enterprise

    Registry   This value is found on Exchange self-signed certificates.

    GroupPolicy

    Unknown   This value is found on pending certificate requests.

  • SerialNumber   The unique serial number of the certificate.

  • Status   The status of the certificate. Values are:

    DateInvalid

    Invalid

    PendingRequest

    RevocationCheckFailure

    Revoked

    Unknown

    Untrusted

    Valid

If you append | Format-List * to the command, the cmdlet returns these additional certificate properties:

  • Archived

  • CertificateRequest   This property contains the hash value of the certificate request.

  • DnsNameList

  • EnhancedKeyUsageList   Typically, this value is Server Authentication (1.3.6.1.5.5.7.3.1).

  • Extensions

  • FriendlyName

  • Handle

  • Identity   This value is <ServerFQDN>\<Thumbprint>

  • IISServices

  • IssuerName   Typically, this value is System.Security.Cryptography.X509Certificates.X500DistinguishedName.

  • KeyIdentifier

  • PrivateKey   Typically, this value is System.Security.Cryptography.RSACryptoServiceProvider.

  • PrivateKeyExportable   If this value is True, you can export the certificate from the server.

  • PublicKey   Typically, this value is System.Security.Cryptography.RSACryptoServiceProvider.

  • RawData

  • SendAsTrustedIssuer

  • ServicesStringForm

  • SignatureAlgorithm   Typically, this value is System.Security.Cryptography.Oid.

  • SubjectKeyIdentifier

  • SubjectName   Typically, this value is System.Security.Cryptography.X509Certificates.X500DistinguishedName .

  • Version   Typically, this value is 3.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Certificate management" entry in the Exchange infrastructure and PowerShell permissions topic.

 

Parameter Required Type Description

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.

The DomainController parameter isn't supported on Edge Transport servers. An Edge Transport server uses the local instance of Active Directory Lightweight Directory Services (AD LDS) to read and write data.

DomainName

Optional

Microsoft.Exchange.Data.MultiValuedProperty

The DomainName parameter filters the results by the fully qualified domain name (FQDN) or server name values in the Subject Name or the Subject Alternative Name fields. You can specify multiple values separated by commas.

Identity

Optional

Microsoft.Exchange.Configuration.Tasks.ExchangeCertificateIdParameter

The Identity parameter specifies the certificate that you want to view. Valid values are:

  • <ServerNameorFQDN>\<Thumbprint>

  • <Thumbprint>

You can't use this parameter with the Server parameter.

The Thumbprint parameter, not the Identity parameter, is the positional parameter for this cmdlet. Therefore, when you specify a thumbprint value by itself, the command uses that value for the Thumbprint parameter.

Instance

Optional

System.Security.Cryptography.X509Certificates.X509Certificate2

The Instance parameter is no longer used and will be deprecated.

Server

Optional

Microsoft.Exchange.Configuration.Tasks.ServerIdParameter

The Server parameter specifies the Exchange server where you want to run this command. You can use any value that uniquely identifies the server. For example:

  • Name

  • FQDN

  • Distinguished name (DN)

  • Exchange Legacy DN

If you don't use this parameter, the command is run on the local server.

You can't use this parameter with the Identity parameter, but you can use it with the Thumbprint parameter, or by itself.

Thumbprint

Optional

System.String

The Thumbprint parameter specifies the thumbprint value of the certificate that you want to view.

The Thumbprint parameter, not the Identity parameter, is the positional parameter for this cmdlet. Therefore, when you specify a thumbprint value by itself, the command uses that value for the Thumbprint parameter.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

 
Show: