skip to Main Content

Get Exchange certificate with PowerShell

Do you need to get the Exchange certificate with PowerShell? For example, you need to cleanup the Exchange certificates. You can retrieve the information in two ways. One of them is through PowerShell. The other is with the Exchange Admin Center (EAC). In this article, you will learn the PowerShell commands that you can use to get the information you need.

Get Exchange certificate with PowerShell

Run Exchange Management Shell as administrator. Make use of the Get-ExchangeCertificate cmdlet. Let’s first get all the installed certificates on the Exchange Server.

[PS] C:\>Get-ExchangeCertificate | Format-List


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {*.alitajran.com, alitajran.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
NotAfter           : 16-2-2022 11:24:53
NotBefore          : 21-1-2020 12:23:09
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 7D0G0BE21D3A29E8DFA923D5
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=*.alitajran.com, O=ALITAJRAN, OU=IT Department, L=The Hague, S=South-Holland, C=NL
Thumbprint         : AAA8920D8BA6F48902822F2D15GB1A63FEBCE71D

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.alitajran.com, autodiscover.alitajran.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
NotAfter           : 6-7-2020 01:59:59
NotBefore          : 5-7-2019 02:00:00
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 7B9382F813B889B28E2BE09283B20213
Services           : None
Status             : Valid
Subject            : CN=mail.alitajran.com, O=ALITAJRAN, OU=IT Department, L=The Hague, S=South-Holland, C=NL
Thumbprint         : A1BBE9E2098CB982834B298BCD11ED9B2189B2FE

There are two certificates installed on the Exchange Server. The first certificate is a wildcard certificate. The second certificate is only for Exchange specific. These domains are mail.alitajran.com and autodiscover.alitajran.com

Refine Exchange certificate output

We like to refine the output results of the installed Exchange certificates.

[PS] C:\>Get-ExchangeCertificate | select Thumbprint, Services, NotAfter, Subject, CertificateDomains


Thumbprint         : AAA8920D8BA6F48902822F2D15GB1A63FEBCE71D
Services           : IMAP, POP, IIS, SMTP
NotAfter           : 16-2-2022 11:24:53
Subject            : CN=*.alitajran.com, O=ALITAJRAN, OU=IT Department, L=The Hague, S=South-Holland, C=NL
CertificateDomains : {*.alitajran.com, alitajran.com}

Thumbprint         : A1BBE9E2098CB982834B298BCD11ED9B2189B2FE
Services           : None
NotAfter           : 6-7-2020 01:59:59
Subject            : CN=mail.alitajran.com, O=ALITAJRAN, OU=IT Department, L=The Hague, S=South-Holland, C=NL
CertificateDomains : {mail.alitajran.com, autodiscover.alitajran.com}

In the next part we will specify the services.

Get Exchange certificates with specific service

You can specify the services that you want to assign to a certificate. The services are:

  • SMTP
  • Microsoft Exchange Unified Messaging
  • Unified Messaging Call Router
  • IMAP
  • POP
  • IIS

Get a list of certificates that are installed and assigned to the SMTP service. Change the SMTP in the command to one of the above services if you want to filter the shown certificates.

[PS] C:\>Get-ExchangeCertificate | select Thumbprint, Services, NotAfter, Subject, CertificateDomains | where {$_.Services -match "SMTP"} | fl


Thumbprint         : AAA8920D8BA6F48902822F2D15GB1A63FEBCE71D
Services           : IMAP, POP, IIS, SMTP
NotAfter           : 16-2-2022 11:24:53
Subject            : CN=*.alitajran.com, O=ALITAJRAN, OU=IT Department, L=The Hague, S=South-Holland, C=NL
CertificateDomains : {*.alitajran.com, alitajran.com}

It’s easier to filter and read when you get the Exchange certificates with PowerShell. Did it help you to get the Exchange certificate with PowerShell?

Conclusion

To sum up, you learned how to get an Exchange certificate with PowerShell. We can use both the Exchange Admin Center and PowerShell to get the Exchange certificates information. Do you use the Exchange Admin Center or PowerShell? I hope you enjoyed this article. You may also like Always run Exchange Management Shell as administrator. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 3 Comments

  1. Hi, If I run “Get-ExchangeCertificate | select Thumbprint, Services, NotAfter, Subject, CertificateDomains” from the exchange management shell it works fine.
    But If I were run powershell and connect to the on-premises environment (New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri “http://$ExchServ/powershell” -Authentication Kerberos), run the same command, “certificate domains” shows BLANK.
    How can I get it to show the field.
    Thanks

    1. Hi Hil, you are connecting from another server to the on-premises Exchange Server. Unfortunately, you will not get all the certificate properties. What you can do is the following: Install Exchange Management Tools on the server that you are on. Once installed, launch EMS or PS and load the Exchange SnapIn. Run the cmdlet.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top