Using EMS create your Certificate Request via command line
New-ExchangeCertificate -DomainName ACME.ai.local, ACME.mail.com -GenerateRequest:$True -Keysize 2048 -path c:\ACMEcert.req
-privatekeyExportable:$true -subjectName “CN=ACME.mail.com”
NOTE: you can add a parameter to make the key valid for more than a year, but I took the default of one year. As you can see I stored the request file on the root of the C-drive, calling it ACMEcert.req
Open a command prompt and use certreq.exe to convert the request to a certificate:
certreq.exe -submit -attrib “CertificateTemplate:WebServer” c:\ACMEcert.req
and link it to the CA, or certificate authority, in our made up office this machine might be called ACME-CA.
NOTE: It prompted for a name for the certificate, I chose ACMEcert.cer
Import new cert into proper store:
File > Add/Remove Snap In> Certificates > Local Computer > click Add. Browse to the Personal certificates store. Here you’ll import the cert file, ACMEcert.cer, created in step 2
Enable the new cert using EMS, again it’s a command
Enable-exchangecertificate –thumprint paste_thumbprint_here
It will ask you for which services to apply to the new cert. Type IIS, SMTP, POP, IMAP then hit Enter. It will ask if it’s ok to overwrite the existing certificate using these services, choose “Yes to All” then hit Enter.
NOTE: to get a list of all Exchange certificate thumbprints available, use
Remove any old certs, if necessary
Remove-exchangecertificate –thumprint paste_thumbprint_here