Home » Exchange Server » PowerShell Script to Generate Exchange Server SSL Certificate Report

PowerShell Script to Generate Exchange Server SSL Certificate Report

In Exchange Server 2007 the Get-ExchangeCertificate cmdlet only allowed us to view the local server’s certificates. But in Exchange Server 2010 Get-ExchangeCertificate has a -Server parameter that allows us to view certificates on remote servers as well.

This means we can run a PowerShell script to collect information about the SSL certificates on all of our Exchange servers, which is useful during Exchange 2013 migration planning.

This script, Get-ExchangeCertificateReport.ps1, is executed from the Exchange Management Shell and produces a HTML report in the same folder where the script is run from.


This script can be downloaded from the TechNet Script Gallery or Github. Feedback and questions are welcome in the comments below.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. Jacolex says:

    Found one error:
    $certObj | Add-Member NoteProperty -Name “SMTP” -Value $smpt
    should be:
    $certObj | Add-Member NoteProperty -Name “SMTP” -Value $smtp

  2. Hi everyone, sorry about the 404 errors. Some time in the last few days the download system has broken. I’ve replaced the link now with one that should work. Please let me know if you continue to have download problems.

  3. Nic says:

    Hi Paul,

    I ran the script CertificateReport.ps1 but it did not give me the output at all. What did i do wroong. Please replied.

  4. Nic says:

    —- —–
    CLRVersion 2.0.50727.5485
    BuildVersion 6.1.7601.17514
    PSVersion 2.0
    WSManStackVersion 2.0
    PSCompatibleVersions {1.0, 2.0}
    PSRemotingProtocolVersion 2.1

    -I running from desktop right now and planing to automate.
    .CertificateReport.ps1<<<this how i ran

  5. Eddie says:

    What needs to be adjusted to make this work in Exchange 2013?

    Server: SR-xxxxx (Mailbox, ClientAccess)
    Starting a command on the remote server failed with the following error message : The I/O operation has been aborted be
    cause of either a thread exit or an application request. For more information, see the about_Remote_Troubleshooting Hel
    p topic.
    + CategoryInfo : OperationStopped: (sr-xxxxx.domain.lan:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : JobFailure
    + PSComputerName : sr-xxxxx.domain.lan

      • Mick J says:

        Running it on one of my customers Exchange 2013 environment the script does generate a Certificate HTML output for me which appears to be correct when manually comparing the certs, however it does error with;

        Processing data for a remote command failed with the following error message: [ClientAccessServer=EXCHANGE01,BackEndSer
        ver=EXCHANGE01.domain.com,RequestId=015dfb88-0960-4b12-8332-bf1d3ebc5e89,TimeStamp=24/02/2017 12:31:00]
        [FailureCategory=WSMan-InvalidShellID] The request for the Windows Remote Shell with ShellId
        D70FFD63-63B4-4C9F-9678-7DA61549A04D failed because the shell was not found on the server. Possible causes are: the specified ShellId is incorrect or the shell no longer exists on the server. Provide the correct ShellId or create a
        new shell and retry the operation. For more information, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo : OperationStopped: (EXCHANGE01.domain.com:String) [], PSRemotingTransportExce
        + FullyQualifiedErrorId : JobFailure
        + PSComputerName : EXCHANGE01.domain.com

        I’m thinking this is something that can be safely ignored.

        Note – it does seem to drop out and error once it starts to query the Edge servers, but the error referenced in the error above is not the Edge server, it’s the Multi Role CAS/MBX server. If it was the Edge server referenced in the error then that would make sense. Maybe its because I am running the script from EXCHANGE01 and that is why its referenced in the error?

        • Mick J says:

          I’ve answered my own question, just ran the script on another Exc 2013 environment I support where they have no Edge servers and did not receive any error, so must’ve been the Edge server causing the previous error as it couldn’t query it.

          Just an FYI for anyone else who runs into this.

  6. Rob Hupf says:

    Would it be difficult to have an option to sort the report by expiration date, so that the ones expiring soonest would be at the top of the report? I’m futzing with it now, but so far no luck.

Leave a Reply

Your email address will not be published. Required fields are marked *