My life, My work, Its always an Adventure

So this is what I use to create a exchange certificate and how to avoid a few problems:

If you are using SBS, then it would be an advantage if you also put some more domainnames into the Option -domainname. For Example: Sites,remote.domain.local,remote.domain.de,domainname.local,domainname.de and so on

New-Exchangecertificate -generaterequest:$true -domainname netbios,internal_FQDN,external_FQDN,autodiscover.external_FQDN,autodiscover.internal_FQDN -Friendlyname external_FQDN -path c:\certrequest.txt -privatekeyexportable:$true

If your RootCA does not accept this because there are values missing, then you should look at this site: http://technet.microsoft.com/en-us/library/aa998840.aspx. There you find out which subjectnames you can insert to the above commandline.

Now you have to go to your Root CA and request this certrequest.txt and accept it. If you get an error, that there is no template (or something like this) then try this:

certreq -attrib “CertificateTemplate:WebServer” C:\certrequest.txt

Then you can save the accepted Certificate as c:\cert.cer

Import-exchangecertificate –path c:\cert.cer

If you are having problems with the certificate that f.e. the privatekey is missing and/or in the MMC-Certificates you will notice the certificate does not have the golden key, then you should try this:

1) get the serial number from the imported cert
2) run the following command certutil -repairstore my “serial number
3) go back into certstore and hit refresh

(copy the Thumbprint)

Enable-exchangecertificate –services "IIS,SMTP" –thumbprint PASTE_Thumbprint

iisreset

This should do it