So I have a quick question. I am building a new Exchange 2010 environment, and as part of that process will need a new certificate for my legacy namespace. So, not wanting to impact my existing environment (where the existing certificate is going to expire by the end of the week on 7/1/2011) I went ahead and did the following Exchange 2010: New-ExchangeCertificate (command generated via digicerts tool w/ mail.mycompany.com, autodiscover.mycompany.com, legacy.mycompany.com, and autodiscover.myothercompany.com) Then I went to do an import-exchangecertificate, get-exchangecertificate, enable-exchangecertificate From there I can see my certificate on my 1st Exchange 2010 CAS/HT server, but it shows- Services : IMAP, POP, IIS, SMTP Status : RevocationCheckFailure Which I assume is because our firewall is blocking the traffic, which should be corrected shortly. In the interim, I exported the certificate (Export-ExchangeCertificate) and tried to import the certificate on the other Ex2010 CAS/HT servers, which failed- The certificate with thumbprint xxx was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing). So after some reading I exported the certificate using MMC, and selected 'Yes, export the private key' From there I was able to do a import- import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\install\cert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password | Enable-ExchangeCertificate -Services "IIS,POP,IMAP,SMTP" But when I 'Get-ExchangeCertificate | fl' it shows- Services : IMAP, POP, IIS, SMTP Status : Invalid Which has me wondering if its because I exported it when its status was 'RevocationCheckFailure' At any rate, now I am concerned about the next, more time sensitive task, importing the certificate on my Ex2007 CAS/HT servers. My understanding is that I should be able to import the certificate w/ EMC- Import-ExchangeCertificate -Path c:\intsall\cert.pfx –Password:(Get-Credential).password and import the certificate without impacting the existing services. So my questions are- Will I be able to validate the certificate before I Enable-ExchangeCertificate? Once enabled for all services, will it take affect immediately, and be completely transparent? Any input from someone who has done this would be greatly appreciated. Thanks! -jon

When you requested the certificate initially you had to have specified that the private key was exportable. Later when you exported the certificate, you had to specify that you wanted to export the private key. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Thanks Ed, That was the case, and I have been able to export / import to all other Exchange 2010 servers. Now my only question is how seamlessly I can install the cert and transfer services in the ex2007 environment- So I will Import-ExchangeCertificate -Path c:\intsall\cert.pfx –Password:(Get-Credential).password Enable-ExchangeCertificate -thumbprint xxxx -Services "IIS,POP,IMAP,SMTP" but.. Will I be able to validate the certificate before I Enable-ExchangeCertificate? Once enabled for all services, will it take affect immediately, and be completely transparent? thanks.

Hello, 1. You can double click the certificate file to see the details. 2. You need to restart the IIS service to make the certificate take effect. Thanks, Simon

Certificate was installed without incident. No restart, or iisreset was required.