Step 1

Fill in the form below. Once complete copy the CSR command to your clipboard and then paste it into a Exchange Management Shell session on the Exchange server.

Common Name:
eg remote.example.com

Subject Alternative Names:
eg servername
servername.domainname.local
remote.example.com
autodiscover.example.com
Organisation:
Organisational Unit:
Town/City:
County/State:
Country:

CSR Command:


Step 2

Upload the CSR file which was created in the root of C:\ when you executed the CSR Command in the Exchange Management Shell session on the Exchange server.


  1. Open the download ZIP file. Copy CA.crl to C:\inetpub\wwwroot (this is the default location, it may differ if your setup).
  2. Verifiy Certificate Revocation List (CRL) is availale by going to http://remote.example.com/CA.crl and having the CA.crl file be downloaded. This needs to work before you proceed. If you get a "HTTP Error 404.0 - Not Found" page, look for the Physical Path. Thats where the CA.crl needs to be. In a recent SBS 2008 example I found the Physiscal Path was "C:\Program Files\Windows Small Business Server\Bin\WebApp\SBS Web Applications\CA.crl"
  3. Add CA.cer as a trusted Certificate Authority by doing the following
    1. Extract CA.cer (to your desktop for example)
    2. Click Start -> Run and type MMC and press Ok to open a blank Microsoft Managment Console
    3. Click File -> Add/Remove Snap-in
    4. Choose Certificates and click Add
    5. Choose Computer Account and press Next, then Finish, then Ok
    6. On the left hand side navigate to Console Root -> Certificates (Local Computer) -> Trusted Root Certificate Authorities -> Certificates. Right Click on Certificates and click All Tasks -> Import. Click Next, then Browse to file you extracted in step 3.1 (maybe on your desktop) and click Next. Confirm "Place all certificates in the following store" is selected and press Next and click Finish
    7. Click Ok on The Import was successful
    8. This needs to work before you proceed
  4. You should now be able to double click on signed_cert.cer and see it's a valid certificate for all application policies. Any red crosses indicate a problem!
  5. You'll want to install CA.cer on all computer. You can either repeat the above process for all computers in your network OR distribute it via Group Policy by doing the following
    1. Open the Group Policy Management Console
    2. Create a new Group Policy called Distribute Trusted Certificate Authority
    3. Edit the newly created Distribute Trusted Certificate Authority policy
    4. Navigate to Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities. Right click "Trusted Root Certification Authorities" and click Import. Click Next, then Browse to file you extracted in step 3.1 (maybe on your desktop) and click Next. Confirm "Place all certificates in the following store" is selected and press Next and click Finish
    5. Click Ok on The Import was successful
    6. This is desirable to work before you proceed

Step 3

Consider going to https://testconnectivity.microsoft.com/ and performing tests

A transcript of a Exchange 2007 server I created certificates for

  [PS] C:\Windows\system32>$data=New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=GB, s=West Midlands, l=Birmingham, o=Somers Total Kare,
  ou=IT, cn=remote.stkare.co.uk" -DomainName svl2008, svl2008.svl.local, autodiscover.stkare.co.uk, remote.stkare.co.uk -PrivateKeyExportable $True
  [PS] C:\Windows\system32>Set-Content -path "C:\remote.stkare.co.uk-2014-01-8-203513.csr" -Value $Data
  [PS] C:\Windows\system32>Get-ExchangeCertificate

  Thumbprint                                Services   Subject
  ----------                                --------   -------
  560519675754EBD924D5AED1CA10874AA0EE2712  .....      C=GB, S=West Midlands, L=Birmingham, O=Somers Total Kare, OU=IT, CN=remote.stkare.co.uk
  F9DEFFC9C7A4DD2F67B8D915A7F9BAB059786846  IP.WS      C=GB, S=West Midlands, L=Birmingham, O=SVL, OU=IT, CN=remote.stkare.co.uk
  979F60EAC8D8386D59BAFEA0C8AFE170985C059E  .....      CN=SVL2008.svl.local
  533833E614D687CA8CA4361C2D1245C8FF7ADE85  IP..S      CN=remote.stkare.co.uk, OU=IT, O=SVL, L=Birmingham, S=West Midlands, C=GB
  197BCE294A73686F0574D36B8DE34089E3AD2F5E  ....S      CN=svl2008.svl.local
  48732F7A93AA365D3C3B90F721EF845FBB60085B  ....S      CN=theoffice.stkare.co.uk
  8A8C89A0835E6BAC6C859B6D844B54B505A5B602  IP.WS      CN=remote.stkare.co.uk
  EE9CD778E0D59E9D165AA189A3DBB5F6202746C8  ....S      CN=Sites
  D04ACC96DC21B02F6A601429EBE37C1255555677  .....      CN=svl-SVL2008-CA
  92EF3C099269D2753F01A23A747377D0836D12EB  .....      CN=WMSvc-WIN-4OMU2ITEIVB


  [PS] C:\Windows\system32>Import-ExchangeCertificate -Path C:\signed_cert.cer

  Thumbprint                                Services   Subject
  ----------                                --------   -------
  03AED018F0CC6AF8215EC8430FBE36B0E3DB5E2F  .....      C=GB, S=West Midlands, L=Birmingham, O=Somers Total Kare, OU=IT, CN=remote.stkare.co.uk


  [PS] C:\Windows\system32>Get-ExchangeCertificate

  Thumbprint                                Services   Subject
  ----------                                --------   -------
  03AED018F0CC6AF8215EC8430FBE36B0E3DB5E2F  IP...      C=GB, S=West Midlands, L=Birmingham, O=Somers Total Kare, OU=IT, CN=remote.stkare.co.uk
  F9DEFFC9C7A4DD2F67B8D915A7F9BAB059786846  IP.WS      C=GB, S=West Midlands, L=Birmingham, O=SVL, OU=IT, CN=remote.stkare.co.uk
  979F60EAC8D8386D59BAFEA0C8AFE170985C059E  .....      CN=SVL2008.svl.local
  533833E614D687CA8CA4361C2D1245C8FF7ADE85  IP..S      CN=remote.stkare.co.uk, OU=IT, O=SVL, L=Birmingham, S=West Midlands, C=GB
  197BCE294A73686F0574D36B8DE34089E3AD2F5E  ....S      CN=svl2008.svl.local
  48732F7A93AA365D3C3B90F721EF845FBB60085B  ....S      CN=theoffice.stkare.co.uk
  8A8C89A0835E6BAC6C859B6D844B54B505A5B602  IP.WS      CN=remote.stkare.co.uk
  EE9CD778E0D59E9D165AA189A3DBB5F6202746C8  ....S      CN=Sites
  D04ACC96DC21B02F6A601429EBE37C1255555677  .....      CN=svl-SVL2008-CA
  92EF3C099269D2753F01A23A747377D0836D12EB  .....      CN=WMSvc-WIN-4OMU2ITEIVB


  [PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint 03AED018F0CC6AF8215EC8430FBE36B0E3DB5E2F -Services POP,IMAP,SMTP,IIS

  Confirm
  Overwrite existing default SMTP certificate, 'F9DEFFC9C7A4DD2F67B8D915A7F9BAB059786846' (expires 08/01/2019 18:34:01), with certificate
  '03AED018F0CC6AF8215EC8430FBE36B0E3DB5E2F' (expires 08/01/2019 20:39:29)?
  [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
  [PS] C:\Windows\system32>Get-ExchangeCertificate

  Thumbprint                                Services   Subject
  ----------                                --------   -------
  03AED018F0CC6AF8215EC8430FBE36B0E3DB5E2F  IP.WS      C=GB, S=West Midlands, L=Birmingham, O=Somers Total Kare, OU=IT, CN=remote.stkare.co.uk
  F9DEFFC9C7A4DD2F67B8D915A7F9BAB059786846  IP..S      C=GB, S=West Midlands, L=Birmingham, O=SVL, OU=IT, CN=remote.stkare.co.uk
  979F60EAC8D8386D59BAFEA0C8AFE170985C059E  .....      CN=SVL2008.svl.local
  533833E614D687CA8CA4361C2D1245C8FF7ADE85  IP..S      CN=remote.stkare.co.uk, OU=IT, O=SVL, L=Birmingham, S=West Midlands, C=GB
  197BCE294A73686F0574D36B8DE34089E3AD2F5E  ....S      CN=svl2008.svl.local
  48732F7A93AA365D3C3B90F721EF845FBB60085B  ....S      CN=theoffice.stkare.co.uk
  8A8C89A0835E6BAC6C859B6D844B54B505A5B602  IP.WS      CN=remote.stkare.co.uk
  EE9CD778E0D59E9D165AA189A3DBB5F6202746C8  ....S      CN=Sites
  D04ACC96DC21B02F6A601429EBE37C1255555677  .....      CN=svl-SVL2008-CA
  92EF3C099269D2753F01A23A747377D0836D12EB  .....      CN=WMSvc-WIN-4OMU2ITEIVB


[PS] C:\Windows\system32>

Useful commands?