Generate Request for Third-Party Certificate Services
Topic Last Modified: 2011-03-19
Microsoft Exchange Server 2010 creates a self-signed certificate during installation that uses all the server and domain names known to Exchange at the time of installation. However, you can also use certificates signed by a certification authority (CA). If you are using a CA to generate certificates, you must provide a certificate request according to that CA's requirements.
To generate a certificate request, you can use the New-ExchangeCertificate cmdlet with the GenerateRequest parameter. You can then save the request in a file using the Set-Content cmdlet. The resulting file will be a PKCS #10 request (.req) file. PKCS #10 is the Certification Request Syntax Standard specified by RFC 2314. (For details, see http://www.ietf.org/rfc/rfc2314.txt.)
Looking for other management tasks related to certificates? Check out Managing TLS Certificates.
You must contact your CA to determine its requirements for new certificate requests.
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Certificate management" entry in the Transport Permissions topic.
|You can't use the EMC to generate a certificate request from a CA.|
This example generates a certificate request for the Contoso server, mail1. The common name (CN) of the Subject Name contains the fully qualified domain name (FQDN) of the server and the Subject Alternative Name contains all the accepted domains for Contoso.
$Data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=us, o=contoso corp, cn=mail1.contoso.com" -IncludeAcceptedDomains Set-Content -Path "c:\Certificates\mail1.contoso.com.req" -Value $Data
This example generates a certificate request for the Contoso server, mail1. The certificate request is similar to the preceding example, but the certificate request is saved as a DER-encoded certificate request file.
$Data = New-ExchangeCertificate -GenerateRequest -SubjectName "c=us, o=contoso corp, cn=mail1.contoso.com" -IncludeAcceptedDomains Set-Content -Path "c:\Certificates\mail1.contoso.com.req" -Value $Data.FileData -Encoding Byte
This example creates a certificate request from an existing Contoso.com certificate.
$Data = Get-ExchangeCertificate -Thumbprint c4248cd7065c87cb942d60f7293feb7d533a4afc | New-ExchangeCertificate -GenerateRequest -SubjectName "C=us, O=contoso corp, CN=mail1.contoso.com" Set-Content -Path "c:\ certificates\mail1.contoso.com.req" -Value $Data
This example creates a certificate request with a wildcard character for all Contoso.com subdomains.
$Data = New-ExchangeCertificate -GenerateRequest -SubjectName "C=us, O=contoso corp, CN=mail1.contoso.com" -DomainName *.contoso.com Set-Content -Path "c:\certificates\mail1.contoso.com.req" -Value $Data
For detailed syntax and parameter information, see New-ExchangeCertificate.
After you generate the certificate request, you may also want to install the certificate issued by the CA in your organization. For detailed steps, see Install Certificates Issued for Certificate Requests.