In Exchange Server 2007 the Get-ExchangeCertificate cmdlet only allowed us to view the local server’s certificates. But in Exchange Server 2010 Get-ExchangeCertificate has a -Server parameter that allows us to view certificates on remote servers as well.
This means we can run a PowerShell script to collect information about the SSL certificates on all of our Exchange servers, which is useful during Exchange 2013 migration planning.
This script, Get-ExchangeCertificateReport.ps1, is executed from the Exchange Management Shell and produces a HTML report in the same folder where the script is run from.
[PS] C:ScriptsExchange2013Planning>.Get-ExchangeCertificateReport.ps1 Server: BR-EX2010-MB (Mailbox, ClientAccess, HubTransport) Server: HO-EX2010-MB1 (Mailbox, ClientAccess, HubTransport) Server: HO-EX2010-MB2 (Mailbox, ClientAccess, HubTransport) Server: HO-EX2010-PF (Mailbox) Server: HO-EX2010-EDGE (Edge)
This script can be downloaded from the TechNet Script Gallery or Github. Feedback and questions are welcome in the comments below.
Awesome work, very useful
Paul,
Thank you, thank you, thank you, thank you, thank you, thank you! And, also, thank you!
Your contributions to the community are greatly appreciated. I definitely owe you multiple cold beverages next time we are in the same city.
Jim McBee
Excellent Paul, i have been following your posts since a long time, Honestly, i have learnt Exchange with the help of your Site.
Can you Please help us learning O365? CAN YOU PLEASE POST THE LINKS HERE?
The script worked like a charm.
Thank you:):):)
How do i deploy it for Edge Servers ?
Would it be difficult to have an option to sort the report by expiration date, so that the ones expiring soonest would be at the top of the report? I’m futzing with it now, but so far no luck.
Thanks for the suggestion. I’ve logged it in my Github repo so I don’t forget, and hopefully I’ll get around to improving the script some time.
What needs to be adjusted to make this work in Exchange 2013?
Server: SR-xxxxx (Mailbox, ClientAccess)
Starting a command on the remote server failed with the following error message : The I/O operation has been aborted be
cause of either a thread exit or an application request. For more information, see the about_Remote_Troubleshooting Hel
p topic.
+ CategoryInfo : OperationStopped: (sr-xxxxx.domain.lan:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : JobFailure
+ PSComputerName : sr-xxxxx.domain.lan
Nothing I’m aware of. It works fine for me on my Exchange 2013 server when I run it in the Exchange Management Shell.
Running it on one of my customers Exchange 2013 environment the script does generate a Certificate HTML output for me which appears to be correct when manually comparing the certs, however it does error with;
Processing data for a remote command failed with the following error message: [ClientAccessServer=EXCHANGE01,BackEndSer
ver=EXCHANGE01.domain.com,RequestId=015dfb88-0960-4b12-8332-bf1d3ebc5e89,TimeStamp=24/02/2017 12:31:00]
[FailureCategory=WSMan-InvalidShellID] The request for the Windows Remote Shell with ShellId
D70FFD63-63B4-4C9F-9678-7DA61549A04D failed because the shell was not found on the server. Possible causes are: the specified ShellId is incorrect or the shell no longer exists on the server. Provide the correct ShellId or create a
new shell and retry the operation. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OperationStopped: (EXCHANGE01.domain.com:String) [], PSRemotingTransportExce
ption
+ FullyQualifiedErrorId : JobFailure
+ PSComputerName : EXCHANGE01.domain.com
I’m thinking this is something that can be safely ignored.
Note – it does seem to drop out and error once it starts to query the Edge servers, but the error referenced in the error above is not the Edge server, it’s the Multi Role CAS/MBX server. If it was the Edge server referenced in the error then that would make sense. Maybe its because I am running the script from EXCHANGE01 and that is why its referenced in the error?
I’ve answered my own question, just ran the script on another Exc 2013 environment I support where they have no Edge servers and did not receive any error, so must’ve been the Edge server causing the previous error as it couldn’t query it.
Just an FYI for anyone else who runs into this.
Pingback: PowerShell Scripts for your Exchange and Office 365 Toolkit
Pingback: Exchange Server 2013 - Renewing an SSL Certificate
Great Script! Do you know how to make it run on edge servers in the DMZ? It is trying to run by name and of course that won’t work.
Enterprise Version 14.3
Ok. The script doesn’t load the Exchange management snapin, so you’ll need to make sure you’re running the script in the Exchange Management Shell.
—- —–
CLRVersion 2.0.50727.5485
BuildVersion 6.1.7601.17514
PSVersion 2.0
WSManStackVersion 2.0
PSCompatibleVersions {1.0, 2.0}
SerializationVersion 1.1.0.1
PSRemotingProtocolVersion 2.1
-I running from desktop right now and planing to automate.
.CertificateReport.ps1<<<this how i ran
Which version of *Exchange* do you have in that environment.
Hi Paul,
I ran the script CertificateReport.ps1 but it did not give me the output at all. What did i do wroong. Please replied.
Which version of Exchange do you have? How did you run it?
Thanks Paul everything work.
Hi everyone, sorry about the 404 errors. Some time in the last few days the download system has broken. I’ve replaced the link now with one that should work. Please let me know if you continue to have download problems.
Hi Paul,
Ok was able to download and test it, however powershell gives an errmsg not correct exchange version, however the report is generated. are there any pre-requisites ?
download problem for the latency mail script.
rgds
Which version of Exchange are you running?
404 !
But i expect, it would be very usefull 🙂
Rgds Roland
Not found, error 404
Can’t download script. Not found, error 404
Can’t download script. Not found, error 404
Fantastic Paul as expected 🙂
Found one error:
$certObj | Add-Member NoteProperty -Name “SMTP” -Value $smpt
should be:
$certObj | Add-Member NoteProperty -Name “SMTP” -Value $smtp
Good catch, thank you. Have uploaded fix (same download link above).