The following commands can be run from an Exchange 2013 server to create, import, export, remove, and enable certificates.
Create a Certificate
Create a new certificate request with these two commands. The second will create the request file that will be submitted to your public CA.
$NEWCERTREQ = New-ExchangeCertificate -GenerateRequest -FriendlyName "<Name of Certificate>" -KeySize 2048 -SubjectName "c=<Country>, s=<State>, l=<City>, o=<Organization>, ou=<Department>, cn=<CommonName>" -DomainName <autodiscover.myemaildomainname.com>, <FQDNofExchangeServers> -PrivateKeyExportable $True
Set-Content -path "C:\MyCertRequest.req" -Value $NEWCERTREQ
Import a New Certificate
Import a certificate after receiving from public certificate authority (CA). This command will replace the pending certificate request with the certificate issued and received from your public CA.
Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path "C:\PublicCert.crt" -Encoding byte -ReadCount 0))
Get Certificate Information
Get current information of all certificates on the server. It is important to get the certificate thumbprint information for other commands. We can identify the certificate based on it not having any services assigned and the subject will contain information you entered when you created the new certificate request (i.e. the common name (CN) will be displayed in the “Subject”).
Assign Services to a Certificate
Using the Thumbprint displayed from the command above, we will enable services for use with the certificate that was just imported on the local Exchange server.
Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services SMTP,IMAP,POP,IIS
Remove a Certificate
If we ever need to, we can remove an existing (unused) certificate with a known thumbprint using this command…
Remove-ExchangeCertificate -Thumbprint <Thumbprint>
Export an Existing Certificate
We will now export an existing certificate with known thumbprint to a file that will be imported to another Exchange server in the future…
NOTE: The “path” parameter is no longer available with the Export-ExchangeCertificate command in Exchange 2013. To create a PFX file, we must utilize the Set-Content command.
$EXPORTCERTINFO = Export-ExchangeCertificate -Thumbprint <Thumbprint> -BinaryEncoded:$true -Password:(Get-Credential).password
Enter credentials when prompted and then run this command to create the export file…
Set-Content -Path "C:\ExportedCert.pfx" -Value $EXPORTCERTINFO.FileData -Encoding Byte
Import an Exported Certificate to Another Exchange Server
With the following commands, we can import a certificate that was previously exported to another Exchange server and assign services…
Import-ExchangeCertificate -Server <ExchangeServer> -FileData ([Byte]$(Get-Content -Path C:\ExportedCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password
Enter credentials when prompted and the certificate information will be displayed, along with the thumbprint. Next, run this command to assign services to the certificate on the server it was imported to…
Enable-ExchangeCertificate -Server <ExchangeServer> -Thumbprint <Thumbprint> -Services SMTP,IMAP,POP,IIS
The certificate process via the Exchange Management Console will greatly simplify creating, importing, exporting and assigning certificates in your environment over using the Exchange Admin Center.