Articles in Root

How do I generate a CSR for Microsoft Exchange 2007?

Problem

How do I generate a CSR for Microsoft Exchange 2007?

Solution

Microsoft Exchange 2007 has introduced a new process to generate a CSR from the traditional method within a Windows environment.  This article will explain this new method which uses the Exchange Management Shell.

Part I - Preparing the CSR Input String

The Exchange Management Shell is the tool that will be used to generate the CSR.  It is a command line tool which requires a custom input string to gather the CSR.  The CSR input string can be created either by QuoVadis Microsoft Exchange Command Tool in PKI Widgets (Option 1) or by manually creating the input string (Option 2).

Option 1 - Using the QuoVadis Microsoft Exchange Command Tool

QuoVadis has created a PKI Widget that will generate this custom input string for you using a GUI.  If you decide to follow Option 1, then you can skip to Part II of this article.


  1. Open up an Internet Browser of your choice and navigate to https://pkiwidgets.quovadisglobal.com/scriptgen/exchange.aspx.
  2. You will see a form on the web page.  Fill out the form with the following information:

  • Common Name: This will be the Common Name of the certificate.  The Common Name is the Host + Domain Name.  It looks like secure.example.com or example.com.
  • Organisation: The legal name of your organisation.
  • Organisation Units: This optional field is the name of the department or other group making the request.  If you wish to add more than one Organisation Unit, you must enter in the Organisation Unit that you want and click the Add button to create another Organisation Unit entry box.
  • Locality/City/Town:The locality field is the city or town name, for example: Hamilton or Edinburgh.
  • State/Province: Spell out the state completely; do not abbreviate the parish, state or province name, for example: Pembroke or Georgia.
  • Country: Select the country from the drop-list where your Organisation is incorporated.
  • DnsName: Enter in any SAN fields that the certificate may require.  If you must enter in more than one, click on the Add button to add another DnsName field.
    Important Note: Most times, Microsoft Exchange requires multiple SAN fields. If you have added any SAN fields, please be sure to also repeat the Common Name as the top SAN field in this list. The Common Name must be repeated along with the SAN fields or when you install the certificate, any Internet Browser will not trust it.

  1. Once you have entered in all of the criteria into the QuoVadis Microsoft Exchange Command Tool, click on the Generate Command button at the bottom.
  2. PKI Widgets will generate the input string for you based on the information that you have supplied.  Highlight everything in the Command Line field and either copy it to your clipboard or copy and paste it into Notepad.  You can now move onto Part II of this article.

Option 2 - Creating the Input String Manually

If you do not have access to the QuoVadis Microsoft Exchange Command Tool, Option 2 will explain what goes into the input string so that you can create it yourself manually.

  1. Copy the following input string into a text editor such as Notepad:
    New-ExchangeCertificate -GenerateRequest -Path c:\[your_common_name].csr -KeySize 2048 -SubjectName "CN=[your_common_name], O=[your_organisation], L=[your_city], ST=[your_state], C=[your_country_ISO], OU=[your_division]" -DomainName [your_common_name], [san_field1], [san_field2], [san_field3], [san_field4] -PrivateKeyExportable $True

  2. You must replace all of the fields in red with your request details, following the list below.  As copying this input string to Notepad will change the red text to black, each field has also been enclosed in "[" and "]" for your convenience.

  • [your_common_name] - This will be the Common Name of the certificate.  The Common Name is the Host + Domain Name.  It looks like secure.example.com or example.com.  This field appears 3 times in the input string and must be the same value each time.
  • [your_organisation] - The legal name of your organisation.
  • [your_city] - The locality field is the city or town name, for example: Hamilton or Edinburgh.
  • [your_country_ISO] - Use the two-letter code of your country without punctuation, for example: BM or UK or CH.
  • [your_division] - This optional field is the name of the department of other group making the request.
  • [san_field1] - Enter in any SAN fields that the certificate may require.  If you must enter in more than one SAN field, then each must be separated with a ',' and a space.  This input string has included four additional SAN fields for your convenience, however you may delete or add to this list. 
    Note: The last SAN field does not have a ',' after it.

Part II - Generating the CSR

Part II of this article goes through the steps of inserting the input string you created in Part I into the Exchange Management Shell.

  1. Login to the Microsoft Exchange 2007 server where you want to install the SSL certificate.
  2. Click on Start, Programs, Microsoft Exchange Server 2007 and then click on Exchange Management Shell.
  3. The Exchange Management Shell will open.  Paste in the input string you created in Part I of this article.  After you have done this, press the Enter key.
  4. The CSR file that you have just generated will be created on directly on the C:/ directory on your server.
  5. Submit this CSR to QuoVadis.