Exchange 2007 - Generate CSR

A Certificate Signing Request (CSR) is required when applying for an SSL certificate. This CSR (and private key) can be generated on your webserver. To request a wildcard certificate, fill in an * (asterisk) for the subdomain, for example * (instead of

Note: In most cases a multi-domain certificate is used in Exchange. After the 1st of November 2015 it is no longer possible to include internal/local domainnames in a multidomain certificate. Internal domain names should therefore be replaced by external (FQDN) domain names.

To generate a new Certificate Signing Request (CSR) the New-ExchangeCertificate cmdlet should be used from the Exchange Management Shell, which should be run as administrator. The certificate snap-in for the MMC and the 'regular' command line can NOT be used for this purpose. Click on Start -> All Programs -> Microsoft Exchange Server 2007 and click Exchange Management Shell to open it.

In the example below a CSR is created in which is the domainname (FQDN) of the server.

The command is as follows:

New-ExchangeCertificate -GenerateRequest:$True -SubjectName "C=NL, O=Xolphin B.V., L=Heerhugowaard, S=Noord-Holland," -Force -FriendlyName Xolphin -Keysize 2048 -Path c:\xolphin.csr -privatekeyExportable:$true

Replace the bold keywords with your own info. De switches used are:

  • FriendlyName - A clear name for the certificate for your own referance, to identify the certificate in Exchange.
  • Subjectname - This switch specifies the organisation details: C= Country, O= Organisation, L= City(Locale), CN= your domainname.
  • GenerateRequest - Ensures the request is made in PKCS#10 format (the current standard for CSRs).
  • privatekeyExportable:$true - Ensures the private key is exportable at a later time.
  • Path - The path to the location where the CSR will be stored.

We recommend using a Multi-Domain Certificate for use in Exchange. When creating the CSR for a multidomain certificate the Common Name (CN) is used as the main domain. Any additional domains (like autodiscover, the internal servername, OWA, etc.) can be specified in the "Extra Domeinnamen" field during the ordering proces.

To order a certificate, copy the entire contents of the generated CSR, including the first and last line and all dashes.

Order certficate


Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up