Hi all, I used this command to generate Exchange 2007 single CN certificate" New-ExchangeCertificate -GenerateRequest -Path c:\ex1.csr -KeySize 2048 -SubjectName "c=US, s=State, l=City, o=Mycompany, cn=mail.mycompany.com" -PrivateKeyExportable $True Now, I got the cert back with BEGIN CERTIFICATE and END CERTIFICATE for the web server and intermediate CA: How should I install on the Exchange server 2007? I checked IIS and there is no certificate request there. Should I save the BEGIN CERTIFICATE and END CERTIFICATE as pfx file or cer file? we used to save cer file when requested from IIS. Thank you.

Save it as .pfx then below. First you have to import it: Import-exchangecertificate –path <full path to cert file> Then enable it: Enable-exchangecertificate When you run the above command you will be prompted to enter the name of the service you want to enable this certificate for. You can enable the cert for IIS, POP3, IMAP, SMTP, or UM depending on your circumstance. You can enable it for multiple services with the enable command by adding the following parameter: -services IMAP, POP, UM, IIS, SMTP After that it will prompt you for the thumbprint, so just copy and paste it from the results of the import procedure mentioned above. If for some reason you don't have the thumbprint in the same window you can get it by typing the following monad command: Get-Exchangecertificate You can also specify the thumbprint when you execute the 'enable-exchangecertificate' command by adding this parameter: -thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4 Combined it would look like this: Enable-exchangecertificate –services IIS, UM, SMTP –thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4 http://msexchangeteam.com/archive/2007/04/19/437902.aspx James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

It works with your help. Just curious: service for IIS as the old days through IIS. >Enable-exchangecertificate –services IMAP, POP, UM, IIS, SMTP enable services IMAP, POP, SMTP is for transmit over encryption?? Thank you.

Note that you dont have to rename as .pfx .cer will work as well.

I guess that most certs that need to install intermediate CA:will not work with AvtiveSync devices, right? Thank you.

That shouldn't be the case, can you not import the intermediate cert to the device as well?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

The intermediate certs need to be installed on the CAS so the chain is complete for all clients if they are not already there. What are you using for a Cert? Either way, check here: http://www.digicert.com/help/