Easy CSR Creation and Installation of certificate in Exchange 2010/2013/2016 and 2019

M AService Manager
CERTIFIED EXPERT
Most Valuable Expert2017 and 2020.
O365, Exchange Server,Windows Server, Active Directory, Virtualization, Teams and Email Migration Expert.
Published:
Updated:
Easy CSR creation in Exchange 2010, 2013, 2016 and 2019
In order to move forward with different Exchange versions an Exchange administrator requires to write command to request for certificate. This tool will help to generate the command to request for a certificate which is a UC/SAN certificate based on client requirement. This command generator is designed to help Exchange administrators to generate command to request for a certificate without typing the whole command, instead just copy and paste.

You can fill your details (e.g. Common name, SANs, Organization name etc.) and generate the command in a few clicks.
To generate the CSR (Certificate Signing Request) in Exchange 2007, for obtaining a new certificate, the key details such as organization details are usually edited on a command that is obtained from the Exchange Management Shell and pasted into Notepad for editing then the new code is copied and pasted into the Management Shell after which the new CSR file is generated to the file location specified in the tool.

In the Exchange 2010 and 2013, generating the CSR file is similar to the 2007 version but after initial creating the initial file, generating the files afterwards involves running this command [Set-Content -path "C:\your_CSR_name.csr" -Value $Data] after the CSR command then the CSR is generated (to the file location specified in the tool)  which can then be submitted to CA. (Technet, 2016). After running this command you will see a certificate pending request. You will have to submit this CSR to your 3 rd party CA for certificate issuing.

Today, updating your certificate services are offered online by multiple companies which allow you to submit CSR instantly therefore it is easier and quicker as they offer user friendly and easy to use interface.

Generate Certificate Signing Request (CSR)
Here is a sample of CSR generation with instructions. Please download the from here and open it. Below is a sample.

Copy the command and paste the command in Exchange Management Shell and enter.


Once you ran the command you can see a pending request in your EAC and you can see a file with your domain name created in the folder mentioned in the tool. In our sample CSR it is c:\cert.


CSR file generated by Exchange Server.


Open the file using notepad and upload the CSR to your CA (Digicert,Godaddy,Comodo etc) portal.
Once certificate is issued please follow the below steps.

Download the zip file and extract. In our case we download from Godaddy portal.



Select server type IIS or Exchange and download.




Extract the zip file. In my case it is .crt file some other CAs provide certificate in .cer format.

Certificate Installation in Exchange Server. 
Open EAC and click on the Pending request  and click on complete.

When you click on complete you get a popup to enter the certificate path. Please enter the certificate path.
I saved the certificate in server in server so I used localhost.

Click on OK. Your certificate is imported.


Enable services in Exchange 

Before services enabled

Get-ExchangeCertificate | fl Issuer,CertificateDomains,notafter,thumbprint,services


Use the command shown below to enable the services. You can change the services according to your requirement. but IIS is mandatory.

Enable-ExchangeCertificate -Services POP,IMAP, IIS, SMTP -thumbprint FACE6A655A03CD482AEC4AA019DC920485DC166


After services enabled


Exchange 2013/2016/2019 EAC
You can assign and enable service certificates in Exchange 2016/2019 from the EAC. Below are the steps with screenshots showing how to enable and assign services:

 a) Click on the new certificate and click the "Edit" button. Check the expiry date of certificate.



b) Make sure domain names and expiry date is correct. Click on Services


c) Select SMTP and IIS.  If you're also using POP and IMAP, select them as well.

You can read this TechNet article for more information on how to assign services to certificates in Exchange 2016/2019.

Open your OWA and make sure no error and make sure certificate shows the expiry date as expected.

Now you are done. :))


Please click on thumps up button if it helped. Thanks for reading my article and using my tool.
Cheers.:))

You can download the tool from here. (below). Examples are available in the tool.
CSRGenerator.xlsm

Technet."Exchange 2007 CSR Creation commands."Retrieved from   https://technet.microsoft.com/en-us/library/aa998327(v=exchg.80).aspx
Technet “Exchange 2010 CSR Creation commands."Retrieved from   https://technet.microsoft.com/en-us/library/dd351057(v=exchg.141).aspx
Technet."Exchange 2013 CSR Creation commands."Retrieved from   https://technet.microsoft.com/en-us/library/aa998327(v=exchg.150).aspx

Verified on the following platforms
Windows Server 2019 Yes
Windows Server 2016
Yes
Windows Server 2012
Yes
Windows Server 2008
Yes


Download tool from here
Thanks for reading the article and using tool.
2
3,631 Views
M AService Manager
CERTIFIED EXPERT
Most Valuable Expert2017 and 2020.
O365, Exchange Server,Windows Server, Active Directory, Virtualization, Teams and Email Migration Expert.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.