Request and assign a wilcard certificate to Exchange 2013-2019

Published by Marco Schiavon on

A simple guide to request and generate a wilcard cert to your Exchange Server trough power shell.

In the case, this is the official Microsoft guide.

Get-ExchangeCertificate | select Thumbprint, Services, NotAfter, Subject, CertificateDomains | where {$_.Services -match “IIS”} | fl

Now we need to generate a new cert request.

this is the command:

New-ExchangeCertificate -GenerateRequest -RequestFile \.req [-FriendlyName ] -SubjectName [C=,S=,L=,O=,OU=],CN= [-DomainName ,…] [-BinaryEncoded <$true | $false>] [-KeySize <1024 | 2048 | 4096>] [-Server ]

Common fields comma separated in the SubjectName :
C=CountryOrRegion
S=StateOrProvince
L=LocalityOrCity
O=Organization
OU=Department

Ti generate a WILCARD request :

New-ExchangeCertificate -GenerateRequest -RequestFile “\localhost\c$\Cert_Req_Wicard.req” -FriendlyName “Softcomet.it Wildcard Cert” -SubjectName “C=IT,CN=*.softcomet.it”

To generate a SAN request :
New-ExchangeCertificate -GenerateRequest -RequestFile -RequestFile “\localhost\c$\Cert_Req_Wicard.req” -FriendlyName “Softcomet.it SAN Cert” -SubjectName “C=IT,CN=mail.softcomet.it” -DomainName autodiscover.softcomet.it,legacy.softcomet.it,autodiscover.softcomet.it

At this point you have you manage the certificate issue with your cert authority. Personally i use SSL2Buy https://www.ssl2buy.com

When you have it, go back to the console and issue this command to show the pending requests:

Get-ExchangeCertificate | where {$_.Status -eq “PendingRequest” -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint

Issue this command

Import-ExchangeCertificate -FileName “\” [-Password (ConvertTo-SecureString -String ‘ ‘ -AsPlainText -Force)] [-PrivateKeyExportable <$true | $false>] [-Server ]

In my case i put the cert under C:\353954770

So this is the command:

Import-ExchangeCertificate -FileName “\localhost\c$\353954770\STAR_softcomet_it.crt”

Now check with this command :

Get-ExchangeCertificate | where {$_.Status -eq “Valid” -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint

Finally assign it to the IIS,SMTP,POP and so on..

Enable-ExchangeCertificate -Thumbprint 271041D73DA880438161B824402F23118497CDC9 -Services “SMTP
, IMAP, POP, IIS”

Leave a Reply

Your email address will not be published. Required fields are marked *