Tool for Exporting Exchange 2010 Certificates to PFX files…

by Andy Grogan on November 3, 2011 · 3 comments

in Certificates, Exchange 2007 (General), Exchange 2010, Exchange Programming .NET, Powershell

I am probably the only person in the world whom finds the process of exporting Exchange Certificates to a file within Exchange 2010 a little bit fiddly – in fact – whilst I think about it, I found it fiddly in Exchange 2007.

Now that does not mean that I don’t know how to export Certificates from either version of Exchange (honest!!!) – just that I have never found it to be very intuitive, or in parts – consistent.

As many of you will be aware in Exchange 2010 you can export an existing Exchange enabled certificate from either the Exchange Management Console or the Exchange Management Shell.

You can also export these certificates from the IIS Server Manager – however it is important to note that this is not the preferred method, and Microsoft recommends that you use the Exchange supplied tools for managing any certificate which is used in connection with Exchange Server 2010 (this was also to the recommendation for Exchange 2007).

To give you some background – exporting from within the Exchange 2010 Management Console is accomplished via navigating to the [ Server Configuration ] node – see below;

exchgExpCert001

Selecting an Exchange Server which contains the SSL certificate that you are interested in, and then on the “Exchange Certificates” tab (located in the bottom middle of the window) a list of the available certificates will be displayed – see below;

exchgExpCert002

Once you have selected your Certificate the “Actions” area (to the right hand side of the screen) will change – towards the bottom you will see an option to “Export Exchange Certificate” – see below

exchgExpCert003

You are then presented with a two step wizard that will ask you for a path for the export PFX file, and the private key that you wish to assigned to the PFX file (this is used later on when you need to import the file) – see below

exchgExpCert004

Clicking on the “Export” button completes the process and outputs the PFX file to your desired location with the Private key assigned – see below

exchgExpCert005

Of course the Exchange Management Shell provides another means to export Exchange based certificates to PFX files – an example which uses the “Subject Name” of the Cert is provided below – there are other ways that this can be achieved, for example here.

$sub='CN=owa.prepAD.local, OU=IT, O=Telnetport25.com, L=London, S=Middx, C=GB'
$pwrdNS=ConvertTo-SecureString "password" -asPlainText -Force
$cCert = Get-ExchangeCertificate | where {$_.Subject -eq $sub}
$file = Export-ExchangeCertificate -Thumbprint $cCert.Thumbprint -BinaryEncoded:$true -Password $pwrdNS
Set-Content -Path "X:\Test.pfx" -Value $file.FileData -Encoding Byte

Now, as I said in the introduction to this article that I have personally found the above processes to be a bit fiddly in practice and being the type of person whom backs everything up – I wanted a tool that could be fired up quickly and used to export Certs to a given location as a backup. In the absence of such a tool – I decided to write one – therefore I am pleased to present the Exchange 2010 Certificate Export tool.

Download

exchgExpCert007 [ Exchange Certificate Export Tool – 500K ]

Requirements

In order to get the best from this tool your target system should be running:

  • Windows 2003 SP1 and above x64, Windows 2003 R2 and above x64, Windows 2008 Server SP1 x64, Windows 2008 R2 x64
  • .NET Framework 3.5
  • Exchange 2010 Management Tools

You should install the tool on the Exchange Server where the certificates that you wish to export / backup reside.

Install

Once you have downloaded the above setup file to the server of your choice, double click on the “ExchangeCertSetup.msi” file to launch the program installer. Follow the installation wizard through to competition, an icon for the product will be placed within your start menu and on the desktop.

Usage

Launch the program from the start menu [ Start –> Programs –> Exchange 2010 Certificate Export Tool –> Export Exchange 2010 Certificates ] or from the desktop icon – see below

exchgExpCert012

You will be presented with the main screen – from the “Certificate Information” area select the Service of the certificate that you wish to export (bear in mind the software will only detect certificates which are enabled for that service), the “Find” button will then enable – click on “Find” to retrieve the certificate list – see below

exchgExpCert008

The window below the “Find” button with then populate, select the the certificate that you wish to export / backup – you must also provide a Private Key value (password) in the “Private Export Key” box – this is mandatory – if you do not provide a value the program will prompt you – see below

exchgExpCert009

Click on the button to the right of the “Export Path” path field, this will open a save file dialog box – navigate to the path where you wish to save the export file and then provide a filename and click on the “Save” button – see below

exchgExpCert010

The export path field will then populate – click on the “Export” button to begin the process of exporting the certificate. When the program is done, the PFX file will be in the location that you stipulated as well as a log file of the entire process – see below

exchgExpCert011

It’s a simple tool – and I admit that some of you may have no use for it – but, I hope that some folks get some value as I now use it all the time to export and backup my clients Exchange certs. As always – let me know of comments and suggestions.

Social

{ 3 comments… read them below or add one }

Ivan March 7, 2012 at 9:19 am

I got a log file saying that it failed because the thumbprint is empty. Any ideas ?

Reply

Chris Pierce April 25, 2013 at 2:36 pm

Ivan, I got the same error until I ran the tool “as Adminstrator”

Reply

Ockert June 17, 2016 at 7:40 am

Hi Chris,

I did something similar, but see that the related certificates that one can export from Certificates snapin is absent when one uses this method, so the THAWTE root certs are missing in my case.

Reply

Leave a Comment

Previous post:

Next post: