In Exchange Server 2007 the Get-ExchangeCertificate cmdlet only allowed us to view the local server’s certificates. But in Exchange Server 2010 Get-ExchangeCertificate has a -Server parameter that allows us to view certificates on remote servers as well.

This means we can run a PowerShell script to collect information about the SSL certificates on all of our Exchange servers, which is useful during Exchange 2013 migration planning.

This script, Get-ExchangeCertificateReport.ps1, is executed from the Exchange Management Shell and produces a HTML report in the same folder where the script is run from.

[PS] C:ScriptsExchange2013Planning>.Get-ExchangeCertificateReport.ps1
Server: BR-EX2010-MB (Mailbox, ClientAccess, HubTransport)
Server: HO-EX2010-MB1 (Mailbox, ClientAccess, HubTransport)
Server: HO-EX2010-MB2 (Mailbox, ClientAccess, HubTransport)
Server: HO-EX2010-PF (Mailbox)
Server: HO-EX2010-EDGE (Edge)

exchange-ssl-certificate-report

This script can be downloaded from the TechNet Script Gallery or Github. Feedback and questions are welcome in the comments below.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Youssef

    Awesome work, very useful

  2. Jim McBee

    Paul,
    Thank you, thank you, thank you, thank you, thank you, thank you! And, also, thank you!

    Your contributions to the community are greatly appreciated. I definitely owe you multiple cold beverages next time we are in the same city.

    Jim McBee

  3. Roopa

    Excellent Paul, i have been following your posts since a long time, Honestly, i have learnt Exchange with the help of your Site.
    Can you Please help us learning O365? CAN YOU PLEASE POST THE LINKS HERE?

    The script worked like a charm.
    Thank you:):):)

  4. Randhawa D

    How do i deploy it for Edge Servers ?

  5. Rob Hupf

    Would it be difficult to have an option to sort the report by expiration date, so that the ones expiring soonest would be at the top of the report? I’m futzing with it now, but so far no luck.

    1. Avatar photo
      Paul Cunningham

      Thanks for the suggestion. I’ve logged it in my Github repo so I don’t forget, and hopefully I’ll get around to improving the script some time.

  6. Eddie

    What needs to be adjusted to make this work in Exchange 2013?

    Server: SR-xxxxx (Mailbox, ClientAccess)
    Starting a command on the remote server failed with the following error message : The I/O operation has been aborted be
    cause of either a thread exit or an application request. For more information, see the about_Remote_Troubleshooting Hel
    p topic.
    + CategoryInfo : OperationStopped: (sr-xxxxx.domain.lan:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : JobFailure
    + PSComputerName : sr-xxxxx.domain.lan

    1. Avatar photo
      Paul Cunningham

      Nothing I’m aware of. It works fine for me on my Exchange 2013 server when I run it in the Exchange Management Shell.

      1. Mick J

        Running it on one of my customers Exchange 2013 environment the script does generate a Certificate HTML output for me which appears to be correct when manually comparing the certs, however it does error with;

        Processing data for a remote command failed with the following error message: [ClientAccessServer=EXCHANGE01,BackEndSer
        ver=EXCHANGE01.domain.com,RequestId=015dfb88-0960-4b12-8332-bf1d3ebc5e89,TimeStamp=24/02/2017 12:31:00]
        [FailureCategory=WSMan-InvalidShellID] The request for the Windows Remote Shell with ShellId
        D70FFD63-63B4-4C9F-9678-7DA61549A04D failed because the shell was not found on the server. Possible causes are: the specified ShellId is incorrect or the shell no longer exists on the server. Provide the correct ShellId or create a
        new shell and retry the operation. For more information, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo : OperationStopped: (EXCHANGE01.domain.com:String) [], PSRemotingTransportExce
        ption
        + FullyQualifiedErrorId : JobFailure
        + PSComputerName : EXCHANGE01.domain.com

        I’m thinking this is something that can be safely ignored.

        Note – it does seem to drop out and error once it starts to query the Edge servers, but the error referenced in the error above is not the Edge server, it’s the Multi Role CAS/MBX server. If it was the Edge server referenced in the error then that would make sense. Maybe its because I am running the script from EXCHANGE01 and that is why its referenced in the error?

        1. Mick J

          I’ve answered my own question, just ran the script on another Exc 2013 environment I support where they have no Edge servers and did not receive any error, so must’ve been the Edge server causing the previous error as it couldn’t query it.

          Just an FYI for anyone else who runs into this.

  7. Chad

    Great Script! Do you know how to make it run on edge servers in the DMZ? It is trying to run by name and of course that won’t work.

  8. Nic

    Enterprise Version 14.3

    1. Avatar photo
      Paul Cunningham

      Ok. The script doesn’t load the Exchange management snapin, so you’ll need to make sure you’re running the script in the Exchange Management Shell.

  9. Nic

    —- —–
    CLRVersion 2.0.50727.5485
    BuildVersion 6.1.7601.17514
    PSVersion 2.0
    WSManStackVersion 2.0
    PSCompatibleVersions {1.0, 2.0}
    SerializationVersion 1.1.0.1
    PSRemotingProtocolVersion 2.1

    -I running from desktop right now and planing to automate.
    .CertificateReport.ps1<<<this how i ran

  10. Nic

    Hi Paul,

    I ran the script CertificateReport.ps1 but it did not give me the output at all. What did i do wroong. Please replied.

  11. Taryel

    Thanks Paul everything work.

  12. Avatar photo
    Paul Cunningham

    Hi everyone, sorry about the 404 errors. Some time in the last few days the download system has broken. I’ve replaced the link now with one that should work. Please let me know if you continue to have download problems.

    1. Ronny

      Hi Paul,

      Ok was able to download and test it, however powershell gives an errmsg not correct exchange version, however the report is generated. are there any pre-requisites ?

      download problem for the latency mail script.

      rgds

  13. Roland Pieper

    404 !
    But i expect, it would be very usefull 🙂
    Rgds Roland

  14. Edwin

    Not found, error 404

  15. Ronny

    Can’t download script. Not found, error 404

  16. Taryel

    Can’t download script. Not found, error 404

  17. Charles Derber

    Fantastic Paul as expected 🙂

  18. Jacolex

    Found one error:
    $certObj | Add-Member NoteProperty -Name “SMTP” -Value $smpt
    should be:
    $certObj | Add-Member NoteProperty -Name “SMTP” -Value $smtp

    1. Avatar photo
      Paul Cunningham

      Good catch, thank you. Have uploaded fix (same download link above).

Leave a Reply