TechNet
Export (0) Print
Expand All

Certificate procedures in Exchange

 

Applies to: Exchange Server 2016

Topic Last Modified: 2016-04-11

A summary of tasks that are associated with certificate management in Exchange 2016.

Ensuring that certificates are installed and configured correctly is key to delivering a secure messaging infrastructure for the enterprise. In Exchange Server 2016, you can manage certificates in the Exchange admin center (EAC), and in the Exchange Management Shell. Certificate management in the EAC has been improved over certificate management in the Exchange Management Console in Exchange Server 2010. Specifically, certificate management in the EAC can help administrators by:

  • Minimizing the number of certificates that are required.

  • Minimizing the interaction that's required for certificates.

  • Allowing the centralized installation and management of certificates on all Exchange servers in the organization.

For more information about certificates in Exchange 2016, see Digital certificates and encryption in Exchange.

The tasks that are associated with certificate management in Exchange are described in the following table.

 

Task EAC Exchange Management ShellTopicComments

Create a new self-signed certificate on an Exchange server.

Servers > Certificates > select the server > Add Add icon > Create a self-signed certificate

New-ExchangeCertificate

Create a new Exchange self-signed certificate

You can create new self-signed certificates and configure the certificates for Exchange services in one step.

Create a new certificate request (also known as a certificate signing request or CSR) for a certification authority (CA).

Servers > Certificates > select the server > Add Add icon > Create a request for a certificate from a certification authority

New-ExchangeCertificate with the GenerateRequest switch.

Create an Exchange certificate request for a certification authority

The procedures are the same for an internal CA (for example, Active Directory Certificate Services) or a commercial CA.

Complete a pending certificate request on an Exchange server.

Servers > Certificates > select the server > select the certificate request > click the Complete link in the details pane.

Import-ExchangeCertificate

Complete a pending Exchange certificate request

After you receive the certificate file or files from the CA, you install them on the Exchange server.

Assign a certificate to Exchange services.

Servers > Certificates > select the server > select the certificate > Edit Edit icon > Services tab.

Enable-ExchangeCertificate

Assign certificates to Exchange services

The procedures are the same for self-signed certificates, or certificates that were issued by a CA.

For certificates issued by a CA, you can only assign the certificates to Exchange services after you complete the pending certificate request (install the certificate on the Exchange server).

Delete an existing certificate or certificate request from an Exchange server.

Servers > Certificates > select the server > select the certificate > Delete Delete icon

Remove-ExchangeCertificate

n/a

The procedures are the same for self-signed certificates, certificate requests, or certificates issued by a CA.

Renew an existing certificate on an Exchange server.

Servers > Certificates > select the server > select the certificate > click Renew in the details pane.

Get-ExchangeCertificate and New-ExchangeCertificate

Renew an Exchange certificate

For self-signed certificates, you renew the certificate in one step.

For certificates that were issued by a CA, you create a request to renew the certificate, and send the request to the CA.

The notification viewer in the EAC displays a warning when a certificate on any Exchange server in your organization is about to expire.

Export an existing certificate or certificate request from an Exchange server.

Servers > Certificates > select the server > select the certificate > More options More Options icon > Export Exchange Certificate

Export-ExchangeCertificate

Export a certificate from an Exchange server

You can only export valid (unexpired) certificates where the PrivateKeyExportable property has the value True.

You can only export pending certificate requests in the Exchange Management Shell. You can't import an exported pending certificate request.

Import (install) a certificate on an Exchange server.

Servers > Certificates > select the server > More options More Options icon > Import Exchange Certificate

Import-ExchangeCertificate

Import or install a certificate on an Exchange server

Import a certificate that was exported from another server.

View existing certificates or certificate requests on an Exchange server, or view the details for a specific certificate or certificate request.

Servers > Certificates > select the server

For details on a specific certificate or certificate request, select the item from the list, and then click Edit Edit icon.

Get-ExchangeCertificate

n/a

Some certificate properties are visible in the details pane in the EAC when you select the certificate or certificate request from the list.

Some certificate properties aren't visible in the standard view in the Exchange Management Shell. To see them, you need to specify the property name (exact name or wildcard match) with the Format-Table or Format-List cmdlets. For more information, see Get-ExchangeCertificate.

 
Show:
© 2016 Microsoft