Looking for correct syntax for New-ExchangeCertificate

Posted on 2009-04-17
Last Modified: 2012-05-06
I am having an issue getting ISA 2006 SP1 to import an Exchange SAN cert.  ISA server cert tool likes the exported cert from Exchange 2007.  Web listener doesn't think it is a valid cert.  I have found two different examples for the privatekeyexportable statement.
-PrivateKeyExportable:$True and -PrivateKeyExportable $True.  One with a colon and one without.  I actually saw it both ways on a technet site.  Is this an issue?  I saw some other posts here indicating that the key may not be exportable.  This is a SAN cert from godaddy.  Exchange seems to like it.  I recorded the powershell sequence start to finish.  I ran the -PrivateKeyExportable $True without a colon.  No errors were generated by power shell.
Question by:markmagnus
    LVL 9

    Expert Comment

    If you are creating a new certificate, then you can use the below command,

    New-ExchangeCertificate -GenerateRequest -Path c:\certificates\request.req -SubjectName "c=ES, o=Exchange," -DomainName,, FQDN_ExchangeServer, NetBIOS_ExchangeServer -PrivateKeyExportable $true


    New-ExchangeCertificate -SubjectName "c=ES, o=Exchange," -DomainName,, FQDN_ExchangeServer, NetBIOS_ExchangeServer -PrivateKeyExportable $true

    And if you like to Export a certificate, then try the below commands,

    Export-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -BinaryEncoded:$true -Path c:\certificates\export.pfx -Password:(Get-Credential).password

    PS: To check the thumbprint of existing certificates, run "Get-ExchangeCertificaite | FL" and locate the Thumbprint parameter.
    LVL 9

    Accepted Solution

    Also check out the below article to export certificate from Exchange and then import it on ISA,

    Author Comment

    I have met the enemy and he is me.  It helps if when you run the mmc for certificate manager, you select the computer radio button instead of letting it stay on the default user button.  Unfortunately, they both have a personal folder.  Once I put the certificate in the right place all was well.  The ISABPA was fairly blunt about the fact that I was an idiot for expecting this to work the way I did it.

    You can either be a wonderful example or a terrible warning.  Today, I am the terrible warning.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Suggested Solutions

    Easy CSR creation in Exchange 2007,2010 and 2013
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now