September 3, 2010

Export an Exchange Server 2010 Certificate to Exchange 2003

During an Exchange 2003 to 2010 transition a legacy namespace is configured for users who are connecting to Exchange 2003 mailboxes.  The Exchange Server 2010 SSL certificate includes the legacy name in its Subject Alternative Name (SAN) field, but this certificate then needs to also be installed on the Exchange 2003 server.

Export the Certificate from Exchange Server 2010

To export the certificate from Exchange Server 2010 launch the Exchange Management Shell and run the following commands.

First determine the thumbprint of the SAN certificate that is installed.

Get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
E8D129180C1334D50DBE17A26795BEE0A0AEA9B3  ...WS.     CN=mail.contoso.local, OU=IT Dept, O=Contoso Pty Ltd, L=Brisban...
C5C2B0F04397D1C2C2C9834C48B268EA53F835B4  IP..S.     CN=ex2010

In this example the thumbprint is “E8D129180C1334D50DBE17A26795BEE0A0AEA9B3”.

Next export the certificate to a file by running the following command.

$file = Export-ExchangeCertificate -Thumbprint E8D129180C1334D50DBE17A26795BEE0A0AEA9B3 -BinaryEncoded:$true -Password (Get-Credential).password

A popup dialog appears for you to enter a password to protect the private key. The username field is not important but requires something to be entered in it for the dialog to accept, so just enter “username” and then a strong password.

Next run the following command to generate the file.

Set-Content -Path "C:\Admin\ex2010cert.pfx" -Value $file.FileData -Encoding Byte

Copy the file to the Exchange Server 2003 server.

Import the Certificate on the Exchange 2003 Server

On the Exchange 2003 server launch mmc.exe and add the Certificates snap-in to the console, choosing the “Computer account” context.

Choose Local Computer and then click Finish, Close, and OK to return to the console.

Right-click Personal and choose All Tasks –> Import.  Step through the Certificate Import Wizard choosing the certificate file that was copied from the Exchange Server 2010 server.

Enter the password that you used when the certificate was exported from Exchange Server 2010.

Place the certificate in the Personal certificate store.

Complete the wizard and confirm that the import was successful.

Leave a Comment

*