Exchange 2007 Certificates

This is a brief post about setting up certificates in Exchange 2007.

What follows is a document which I send to people who are interested in setting up Subject Alternative Name certificates for Exchange 2007.


Open EMS and enter the following;

New-ExchangeCertificate ?GenerateRequest:$true -domainname,,hostname,, -FriendlyName ?Exchange SAN cert? – privatekeyexportable:$true ?path c:\ExchSANcert.txt


Submit to CA

Import-ExchangeCertificate ?Path c:\cascert.cer


Make a note of the Thumbprint

e.g. 2C9FB5F00EE88BA77D72FCA273C787728866BF1E


Enable the certificate as below:

Enable-ExchangeCertificate ?Thumbprint 2C9FB5F00EE88BA77D72FCA273C787728866BF1E ?Services ?IIS,POP,IMAP,SMTP?


Setup External URLs

Set-OABVirtualDirectory ?Identity “OAB (Default Web Site)” -ExternalUrl -RequireSSL:$true

Set-UMVirtualDirectory ?Identity “UnifiedMessaging (Default Web Site)” -ExternalUrl https:// /UnifiedMessaging/Service.aspx

Set-WebServicesVirtualDirectory ?Identity “EWS (Default Web Site)” -ExternalUrl https:// /EWS/Exchange.asmx


Setup the DNS records for external Autodiscover

Point to the external IP address (port 443) on the CAS server



It has recently come to my attention that when you are submitting these requests to an External CA you need to get the correct subject name too!

Take a look at the MSExchangeTeam blog here for more info:


Hope this helps people understand this rather tricky area!