Generating a CSR in Exchange 2013 Shell

The Exchange Management Shell offers a command-line interface for Exchange Server 2013. In essence, every action performed in the Exchange Administration Center (EAC) is executed by the Shell in the background.

Both the Exchange Administration Center (EAC) and the command line can be used to generate the Certificate Signing Request (CSR). This article focuses on explaining the commands required to create the CSR for the primary domain mail.ncssltest.info and an additional domain autodiscover.ncsstest.info using the Exchange Shell.

How to Generating a CSR in Exchange 2013 Shell

Step 1

To begin, open the Exchange Management Shell and enter the following command:

New-ExchangeCertificate -GenerateRequest -RequestFile “path_to_csr.txt” -FriendlyName “friendly_name” -SubjectName “c=Country,s=State,l=Locality,o=Organization,ou=Organizational_Unit,cn=Common_Name” -DomainName additional.domain.com -PrivateKeyExportable $true

Step 2

Here is a short description of the commands:

  • RequestFile: the path to the folder where the .txt or .req file with the text of the CSR will be stored. In our example, we saved the file to the disc C://, folder “certs”.
  • FriendlyName: this field is used by the server administrator to identify the CSR later.
  • SubjectName: these details will be checked by the Certificate Authority before CSR issuance.
  • Country: two-digit code of the country your domain is operating/registered in. You can check the ISO 3166-2 code for your country here or here.
  • State: the full name of the state/province/region inside the country. If there are no states or regions in your country, you can use the city name in this field.
  • Locality: the full name of the city.
  • Organization: the full registered name of your organization. You can enter NA here if you do not have a company, as Certificate Authorities do not verify the company for domain-validated (DV) certificates. Usually, it is enough to use the domain-validated certificate to secure Exchange services.
  • Organizational Unit: the name of the department inside the company. If there is no department in your company, you may enter NA.
  • Common Name: the domain name you need to secure. This will become the primary domain of your multi-domain certificate.
  • DomainName: any additional domain(s) which will take one of the slots in your certifiacate.
  • PrivateKeyExportable $true: this part of the command means that you allow to export the private key from the server. It should be used if you are going to export the certificate later and install it on the other server. Using “$false” here or excluding this part from the command will not allow the private key to be exported and will cause issues with using the certificate on other servers.

Note: use only alphanumeric letters and digits and avoid using any special characters like “/”, “&”, “å”, etc.

The file is stored on your computer in the folder you specified in the “-RequestFile” command. You may now activate your certificate using the CSR text. Remember that it is necessary to use the whole text, including Begin and End lines.

After the certificate is issued by the Certificate Authority, use this guide for installation.