[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1027
  • Last Modified:

Looking for correct syntax for New-ExchangeCertificate

I am having an issue getting ISA 2006 SP1 to import an Exchange SAN cert.  ISA server cert tool likes the exported cert from Exchange 2007.  Web listener doesn't think it is a valid cert.  I have found two different examples for the privatekeyexportable statement.
-PrivateKeyExportable:$True and -PrivateKeyExportable $True.  One with a colon and one without.  I actually saw it both ways on a technet site.  Is this an issue?  I saw some other posts here indicating that the key may not be exportable.  This is a SAN cert from godaddy.  Exchange seems to like it.  I recorded the powershell sequence start to finish.  I ran the -PrivateKeyExportable $True without a colon.  No errors were generated by power shell.
0
markmagnus
Asked:
markmagnus
  • 2
1 Solution
 
RaghuvCommented:
If you are creating a new certificate, then you can use the below command,

New-ExchangeCertificate -GenerateRequest -Path c:\certificates\request.req -SubjectName "c=ES, o=Exchange, cn=mail.domain.com" -DomainName mail.domain.com, autodiscover.domain.com, FQDN_ExchangeServer, NetBIOS_ExchangeServer -PrivateKeyExportable $true

or

New-ExchangeCertificate -SubjectName "c=ES, o=Exchange, cn=mail.domain.com" -DomainName mail.domain.com, autodiscover.domain.com, FQDN_ExchangeServer, NetBIOS_ExchangeServer -PrivateKeyExportable $true

And if you like to Export a certificate, then try the below commands,

Export-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -BinaryEncoded:$true -Path c:\certificates\export.pfx -Password:(Get-Credential).password

PS: To check the thumbprint of existing certificates, run "Get-ExchangeCertificaite | FL" and locate the Thumbprint parameter.
0
 
RaghuvCommented:
Also check out the below article to export certificate from Exchange and then import it on ISA,

http://www.isaserver.org/articles/exportsslcert.html
0
 
markmagnusAuthor Commented:
I have met the enemy and he is me.  It helps if when you run the mmc for certificate manager, you select the computer radio button instead of letting it stay on the default user button.  Unfortunately, they both have a personal folder.  Once I put the certificate in the right place all was well.  The ISABPA was fairly blunt about the fact that I was an idiot for expecting this to work the way I did it.

You can either be a wonderful example or a terrible warning.  Today, I am the terrible warning.

Mark
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now