One of our recently completed projects was Exchange 2003 to Exchange 2010 migration and deployment. As is customary with a new Exchange deployment, a new security certificate for the new Server where Exchange 2010 resides needed to be generated. There are a few options for obtaining/generating a security certificates. If you decide, however, to not entertain the idea of acquiring a third-party certificate as an option, you will need to generate the certificate from the server itself.
This option is also necessary to generate the certificate for Pocket PC devices that use Exchange Active Sync to synchronize data. Although certificates can be generated and/or requested using the EMC, we’ve discovered that a successful generation for the certificate necessary for these types of devices from the Shell. You need to be assigned permissions before you can perform this procedure.
The code example below outputs the certificate request in Base64 format to the command-line console. You must send the certificate request to a certification authority (CA) within the organization, a trusted CA outside the organization, or a commercial CA. You can do this by pasting the certificate request output into an e-mail message or into the appropriate field on the certificate request Web page of the CA. You can also save the certificate request to a file using a text editor such as Notepad.
The certificate that results has the following attributes associated with it:
- Subject name: c=<US>,o=<CompanyName>,cn=mail1.domainname.com
- Subject alternate names: domainname.com and example.com
- An exportable private key
New-ExchangeCertificate -DomainName server.domainname.com, mail1.domainname.com, autodiscover.domainname.com, server -SubjectName “C=US,O=CompanyName,CN=mail.domainname.com” | Enable-ExchangeCertificate -Services iis
Once you’ve generated/created the new certificate, you’ll need to verify it’s been applied on the server. Also verify within IIS that the certificate is set properly. You can proceed to exporting the certificate and importing the certificate on the device. NOTE: the certificate must be installed to the Root Certificate Authority on the device.