Hi all, Is it possibile to add a Subject alternative name with the command Get-ExchangeCertificate -thumbprint xxxxxx | new-Exchangecertificate? And another question...I have an internal CA and I want to use a certtificate on IMAP,POP,SMTP and IIS services. Do I need only one certificate isn't it?

Hi, Is it possibile to add a Subject alternative name with the command Get-ExchangeCertificate -thumbprint xxxxxx | new-Exchangecertificate? I don't think so - you pipe information from the current certificate into the new-certificate request. And another question...I have an internal CA and I want to use a certtificate on IMAP,POP,SMTP and IIS services. Do I need only one certificate isn't it? One certificate is enough, but you need to make sure that all required names are in the certificate Leif

Thank you very much Leif. So...I see that on the EDGe there is a self-signed ceritificate issue by the EDGE (Let's call for example EDGEEXCHANGE) and I see that this certificate is issued by EDGEEXCHANGE and in the properties I have the SAN field filled with EDGEEXCHANGE,EDGEEXCHANGE.domain.local How can I do this? When I use the command new-ExchangeCertificate I set more than one DomainName but I see nothing in the SAN. I see the SAN that I choose if I send the request to the internal CA but after this I see that the issuer is the internal CA. How can I set the SAN without send the request to the CA?

Hello, For your questions: 1. SAN is a third-party certificate and you cannot simply add a domain name to the exsiting one. You need to contact the third-party CA if you would like to add additional domain name in it. 2. One certificate is OK. Do not install the enterprise certificate on Edge sever. Edge sever will use its ownself-signed certificate. if you install the enterprise certificate, you will see errors in Applicaiton log. Here are the steps for generate enterprise CA for your reference: 1. Generate the Exchange certificate request in any Exchange server via Exchange Management Shell, New-ExchangeCertificate -IncludeAutoDiscover -IncludeAcceptedDomains -DomainName “xxx” -GenerateRequest:$True -PrivateKeyExportable:$True -KeySize 1024 -path c:\request.txt 2. Submit a certificate via internal CA a. Open IE and browse URL of internal CA, b. Click "Request a certificate"--->"advance certificate request"--->"Submit a certificate request by using a base-64-encoded …", c. Open request.txt file, copy the message body and paste into the "Saved Request", d. Select the "Web Server" under the "Certificate Template", and click "Submit", e. Click "Download certificate" and save the certificate to physical disk. 4. Import the certificate into Exchange server Import-ExchangeCertificate -path <certificate_file_name>.cer 5. Note down the value of thumbprint 6. Enable certificate on both CA servers, Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services "IIS, SMTP. IMAP, POP" Thanks, Simon

So I have to use the same cmdlet for the EDGE certificate? New-ExchangeCertificate -IncludeAutoDiscover -IncludeAcceptedDomains -DomainName “xxx” -GenerateRequest:$True -PrivateKeyExportable:$True -KeySize 1024 -path c:\request.txt And send it to the internal CA isn't it? When do you say "Enterprise certificate" you mean a 3rd party CA certificate?

I see that it's possibile to add a SAN self-signed certificate with 3rd partu tool like selfSSL, this is the reason why I see SAN on a self signed certificate not issued by a (internal) CA

Hello, Just leave the Edge server alone. When installing the Edge server, a self-signed certificate was automatically installed with includes the edge server’s FQND ad BIOS name. If this self-singed certificate is about to expire, you can renew it by: New-ExchangeCertificate -DomainName “EgdeFQDN” -GenerateRequest:$True -PrivateKeyExportable:$True -KeySize 1024 -path c:\request.txt Then enable it on SMTP service. Thanks, Simon