Get-ExchangeCertificate
This cmdlet is available only in on-premises Exchange.
Use the Get-ExchangeCertificate cmdlet to view Exchange certificates that are installed on Exchange servers. This cmdlet returns Exchange self-signed certificates, certificates that were issued by a certification authority and pending certificate requests (also known as certificate signing requests or CSRs).
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Syntax
Identity
Get-ExchangeCertificate
[[-Identity] <ExchangeCertificateIdParameter>]
[-DomainController <Fqdn>]
[-DomainName <MultiValuedProperty>]
[<CommonParameters>]
Instance
Get-ExchangeCertificate
[-Instance <X509Certificate2>]
[-DomainController <Fqdn>]
[-DomainName <MultiValuedProperty>]
[-Server <ServerIdParameter>]
[<CommonParameters>]
Thumbprint
Get-ExchangeCertificate
[[-Thumbprint] <String>]
[-DomainController <Fqdn>]
[-DomainName <MultiValuedProperty>]
[-Server <ServerIdParameter>]
[<CommonParameters>]
Description
By default, this cmdlet returns the following certificate properties in the summary list view:
- Thumbprint: The unique digest of the certificate data. An example thumbprint value is 78E1BE82F683EE6D8CB9B9266FC1185AE0890C41.
- Services: The Exchange services that the certificate is assigned to by using the Enable-ExchangeCertificate cmdlet. Values are None, Federation, IIS, IMAP, POP, SMTP, UM, and UMCallRouter. You see the value None in certificates that aren't used with Exchange (for example, the
WMSvc-<ServerName>certificate that's used for the IIS Web Management Service). - Subject: Contains the X.500 value in the certificate's Subject Name field. The important part is the CN= value.
If you append | Format-List to the command, the cmdlet returns these additional certificate properties:
- AccessRules: Typically, this value is multiple instances of the value System.Security.AccessControl.CryptoKeyAccessRule separated by commas.
- CertificateDomains: The host names or FQDNs in the certificate's Subject Alternative Name field.
- HasPrivateKey: Whether or not the certificate contains a private key.
- IsSelfSigned: Whether or not the certificate is self-signed (not issued by a certification authority).
- Issuer: Who issued the certificate.
- NotAfter: The certificate expiration date.
- NotBefore: The certificate issue date.
- PublicKeySize: The size of the public key in bytes.
- RootCAType: The type of CA that signed the certificate. Values are None (this value is found on the Microsoft Exchange Server Auth Certificate, and also new self-signed certificates that you create), ThirdParty, Enterprise, Registry (this value is found on Exchange self-signed certificates), GroupPolicy, or Unknown (this value is found on pending certificate requests).
- SerialNumber: The unique serial number of the certificate.
- Status: The status of the certificate. Values are DateInvalid, Invalid, PendingRequest, RevocationCheckFailure, Revoked, Unknown, Untrusted or Valid
If you append | Format-List * to the command, the cmdlet returns these additional certificate properties:
- Archived
- CertificateRequest: This property contains the hash value of the certificate request.
- DnsNameList
- EnhancedKeyUsageList: Typically, this value is Server Authentication (1.3.6.1.5.5.7.3.1).
- Extensions
- FriendlyName
- Handle
- Identity: This value uses the syntax ServerFQDN\Thumbprint.
- IISServices
- IssuerName: Typically, this value is System.Security.Cryptography.X509Certificates.X500DistinguishedName.
- KeyIdentifier
- PrivateKey: Typically, this value is System.Security.Cryptography.RSACryptoServiceProvider.
- PrivateKeyExportable: If this value is True, you can export the certificate from the server.
- PublicKey: Typically, this value is System.Security.Cryptography.RSACryptoServiceProvider.
- RawData
- SendAsTrustedIssuer
- ServicesStringForm
- SignatureAlgorithm: Typically, this value is System.Security.Cryptography.Oid.
- SubjectKeyIdentifier
- SubjectName: Typically, this value is System.Security.Cryptography.X509Certificates.X500DistinguishedName.
- Version: Typically, this value is 3.
You need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for the cmdlet, you might not have access to some parameters if they aren't included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Examples
Example 1
Get-ExchangeCertificate -Server Mailbox01
This example returns a summary list of all Exchange certificates and pending certificate requests on the server named Mailbox01.
Example 2
Get-ExchangeCertificate -Thumbprint 0271A7F1CA9AD8A27152CCAE044F968F068B14B8 | Format-List
This example returns detailed information for the specified certificate.
Example 3
Get-ExchangeCertificate -Thumbprint 0271A7F1CA9AD8A27152CCAE044F968F068B14B8 | Format-List *
This example returns all available information for the specified certificate.
Example 4
Get-ExchangeCertificate -DomainName mail.contoso.com
This example shows which certificate Exchange selects for the ___domain name mail.contoso.com. A Send connector or Receive connector selects the certificate to use based on the fully qualified ___domain name (FQDN) of the connector. If you have multiple certificates with the same FQDN, you can see which certificate Exchange selects by using the DomainName parameter to specify the FQDN. The first certificate returned is the certificate that Exchange selects.
Parameters
-DomainController
Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE
The DomainController parameter specifies the ___domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the ___domain controller by its fully qualified ___domain name (FQDN). For example, dc01.contoso.com.
The DomainController parameter isn't supported on Edge Transport servers. An Edge Transport server uses the local instance of Active Directory Lightweight Directory Services (AD LDS) to read and write data.
Parameter properties
| Type: | Fqdn |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-DomainName
Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE
The DomainName parameter filters the results by the fully qualified ___domain name (FQDN) or server name values in the Subject Name or the Subject Alternative Name fields. You can specify multiple values separated by commas.
Parameter properties
| Type: | MultiValuedProperty |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Identity
Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE
The Identity parameter specifies the certificate that you want to view. Valid values are:
ServerNameOrFQDN\ThumbprintThumbprint
You can't use this parameter with the Server parameter.
The Thumbprint parameter, not the Identity parameter, is the positional parameter for this cmdlet. Therefore, when you specify a thumbprint value by itself, the command uses that value for the Thumbprint parameter.
Parameter properties
| Type: | ExchangeCertificateIdParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
Identity
| Position: | 1 |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Instance
Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE
This parameter is deprecated and no longer used.
Parameter properties
| Type: | X509Certificate2 |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
Instance
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-Server
Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE
The Server parameter specifies the Exchange server where you want to run this command. You can use any value that uniquely identifies the server. For example:
- Name
- FQDN
- Distinguished name (DN)
- Exchange Legacy DN
If you don't use this parameter, the command is run on the local server.
You can't use this parameter with the Identity parameter, but you can use it with the Thumbprint parameter, or by itself.
Parameter properties
| Type: | ServerIdParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
Instance
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
Thumbprint
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Thumbprint
Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE
The Thumbprint parameter specifies the thumbprint value of the certificate that you want to view.
The Thumbprint parameter, not the Identity parameter, is the positional parameter for this cmdlet. Therefore, when you specify a thumbprint value by itself, the command uses that value for the Thumbprint parameter.
Parameter properties
| Type: | String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
Thumbprint
| Position: | 1 |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
Input types
To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.
Outputs
Output types
To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn't return data.