完成待处理Exchange Server证书请求Complete a pending Exchange Server certificate request

完成待处理证书 (也称为证书签名请求或 CSR) 是在 Exchange Server 中配置传输层安全性 (TLS) 加密的下一步。Completing a pending certificate request (also known as a certificate signing request or CSR) is the next step in configuring Transport Layer Security (TLS) encryption in Exchange Server. 接收由证书颁发机构 (CA) 颁发的证书后,在 Exchange 服务器上安装证书以完成待处理的证书请求。After you receive the certificate from the certification authority (CA), you install the certificate on the Exchange server to complete the pending certificate request.

您可以在 Exchange 管理中心 (EAC) 或 Exchange 命令行管理程序 中完成待处理的证书请求。完成新的证书请求或证书更新请求的步骤是相同的。获取由内部 CA (例如,Active Directory 证书服务)或商业 CA 颁发的证书的过程也是相同的。You can complete a pending certificate request in the Exchange admin center (EAC) or in the Exchange Management Shell. The procedures are the same for completing new certificate requests or certificate renewal requests. The procedures are also the same for certificates that were issued by an internal CA (for example, Active Directory Certificate Services), or a commercial CA.

您可能会收到以下一个或多个类型的证书文件 CA :You might receive one or more of the following types of certificate files CA:

  • PKCS #12 证书文件:这些是具有 .cer、.crt、.der、.p12 或 .pfx 文件名扩展名的二进制证书文件,当文件包含私钥或信任链时,需要密码。PKCS #12 certificate files: These are binary certificate files that have .cer, .crt, .der, .p12, or .pfx filename extensions, and require a password when the file contains the private key or chain of trust. CA 可能仅向您颁发一个二进制证书文件供您安装(受密码保护),或多个根或中间二进制证书文件供您安装。The CA might issue you only one binary certificate file that you need to install (protected by a password), or multiple root or intermediate binary certificate files that you also need to install.

  • PKCS #7 证书文件:这些是文件扩展名为 .p7b 或 .p7c 的文本证书文件。PKCS #7 certificate files: These are text certificate files that have .p7b or .p7c filename extensions. 这些文件包含文本: -----BEGIN CERTIFICATE----------END CERTIFICATE----- 或 和 -----BEGIN PKCS7----- -----END PKCS7-----These files contain the text: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- or -----BEGIN PKCS7----- and -----END PKCS7-----. 如果 CA 包含二进制证书文件的证书链,则需要安装证书文件链。If the CA includes a chain of certificates file with your binary certificate file, you also need to install the chain of certificates file.

在开始之前,您需要知道什么?What do you need to know before you begin?

  • 估计完成时间:5 分钟。Estimated time to complete: 5 minutes.

  • 本主题的过程要求在 Exchange 服务器上已经创建了新的证书请求,向 CA 发送了证书请求,并接收了由 CA 颁发的证书。The procedures in this topic require you to have created a new certificate request on the Exchange server, sent the certificate request to the CA, and received the certificate from the CA. 有关详细信息,请参阅 Create an Exchange Server certificate request for a certification authorityFor more information, see Create an Exchange Server certificate request for a certification authority.

  • 在 EAC 中,您需要从 UNC 路径检索证书文件 (\\<Server>\<Share>\\<LocalServerName>\c$\) 。In the EAC, you need to retrieve the certificate file from a UNC path (\\<Server>\<Share> or \\<LocalServerName>\c$\). 在 Exchange 命令行管理程序 中,您可以使用本地文件路径。In the Exchange Management Shell, you can use a local file path.

  • 如果续订或替换由订阅的边缘传输服务器上的 CA 颁发的证书,则需要删除旧证书,然后删除并重新创建边缘订阅。有关详细信息,请参阅边缘订阅进程If you renew or replace a certificate that was issued by a CA on a subscribed Edge Transport server, you need to remove the old certificate, and then delete and recreate the Edge Subscription. For more information, see Edge Subscription process.

  • 若要了解如何在本地 Exchange 组织中打开 Exchange 命令行管理程序,请参阅 Open the Exchange Management ShellTo learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.

  • 您必须先获得权限,然后才能执行此过程或多个过程。若要查看所需的权限,请参阅 客户端和移动设备权限主题中的"客户端访问服务安全"条目。You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Client Access services security" entry in the Clients and mobile devices permissions topic.

  • 若要了解本主题中的过程可能适用的键盘快捷键,请参阅 Exchange 管理中心内的键盘快捷键For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

提示

遇到问题?请访问以下 Exchange 论坛寻求帮助:Exchange ServerExchange OnlineExchange Online ProtectionHaving problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

使用 EAC 以创建完成待处理的证书请求Use the EAC to create complete a pending certificate request

  1. Open the EAC and navigate to Servers > Certificates.Open the EAC and navigate to Servers > Certificates.

  2. In the Select server list, select the Exchange server that holds the pending certificate request.In the Select server list, select the Exchange server that holds the pending certificate request.

  3. 待处理的证书请求具有以下属性:A pending certificate request has the following properties:

    • In the list of certificates, the value of the Status field is Pending request.In the list of certificates, the value of the Status field is Pending request.

    • When you select the certificate request from the list, there's a Complete link in the details pane.When you select the certificate request from the list, there's a Complete link in the details pane.

    Select the pending certificate request that you want to complete, and then click Complete in the details pane.Select the pending certificate request that you want to complete, and then click Complete in the details pane.

  4. On the Complete pending request page that opens, in the File to import from field, enter the UNC path and filename for the certificate file.On the Complete pending request page that opens, in the File to import from field, enter the UNC path and filename for the certificate file. 例如,\\FileServer01\Data\ContosoCert.cerFor example, \\FileServer01\Data\ContosoCert.cer. 完成后,单击"确定 "。When you're finished, click OK.

The certificate request becomes a certificate in the list of Exchange certificates with a Status value of Valid.The certificate request becomes a certificate in the list of Exchange certificates with a Status value of Valid. 有关后续步骤,请参阅后续步骤部分。For next steps, see the Next steps section.

使用 Exchange 命令行管理程序 完成待处理的证书请求Use the Exchange Management Shell to complete a pending certificate request

在 Exchange 命令行管理程序 中用于完成待处理的证书请求的语法取决于证书文件或被颁发的文件的类型。The syntax that you use to complete a pending certificate request in the Exchange Management Shell depends on the type of certificate file or files that you were issued.

要导入二进制证书文件(文件扩展名为 .cer, .crt, .der, .p12 或 .pfx 的 PKCS #12 文件),请使用以下语法:To import a binary certificate file (PKCS #12 files that have .cer, .crt, .der, .p12, or .pfx filename extensions), use the following syntax:

Import-ExchangeCertificate -FileName "<FilePathOrUNCPath>\<FileName>" [-Password (ConvertTo-SecureString -String '<Password> ' -AsPlainText -Force)] [-PrivateKeyExportable <$true | $false>] [-Server <ServerIdentity>]

此示例导入二进制证书文件,该文件受本地 Exchange P@ssw0rd1 \\FileServer01\Data\Contoso Cert.cer 密码保护。This example imports the binary certificate file \\FileServer01\Data\Contoso Cert.cer that's protected by the password P@ssw0rd1 on the local Exchange server.

Import-ExchangeCertificate -FileName "\\FileServer01\Data\Contoso Cert.cer" -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

要导入证书文件(文件扩展名 .p7b 或 .p7c 的 PKCS #7 文本文件)链,请使用以下语法:To import a chain of certificates file (PKCS #7 text files that have .p7b or .p7c filename extensions), use the following syntax:

Import-ExchangeCertificate -FileData ([Byte[]](Get-Content -Encoding Byte -Path "<FilePathOrUNCPath>" -ReadCount 0))

本示例导入本地 Exchange 服务器上 \\FileServer01\Data\Chain of Certificates.p7b 的文本证书文件。This example imports the text certificate file \\FileServer01\Data\Chain of Certificates.p7b on the local Exchange server.

Import-ExchangeCertificate -FileData ([Byte[]](Get-Content -Encoding Byte -Path "\\FileServer01\Data\Chain of Certificates.p7b" -ReadCount 0))

注意:Notes:

  • 如果证书文件位于运行此命令的 Exchange 服务器上,并且这是要导入证书的同一台服务器,则 FileNameFileData 参数接受本地路径。The FileName and FileData parameters accept local paths if the certificate file is located on the Exchange server where you're running the command, and this is the same server where you want to import the certificate. 否则,请使用 UNC 路径。Otherwise, use a UNC path.

  • 如果希望能够将证书从要导入的服务器导出,则需要将 PrivateKeyExportable 参数与值 一同使用 $trueIf you want to be able to export the certificate from the server where you're importing it, you need to use the PrivateKeyExportable parameter with the value $true.

  • 有关详细信息,请参阅 Import-ExchangeCertificateFor more information, see Import-ExchangeCertificate.

如何判断是否生效?How do you know this worked?

若要确认是否已成功完成证书请求并已在 Exchange 服务器上安装了证书,请使用以下步骤之一:To verify that you have successfully completed the certificate request and installed the certificate on the Exchange server, use either of the following procedures:

  • In the EAC at Servers > Certificates, verify the server where you installed the certificate is selected. In the list of certificates, verify that the certificate has Status property value Valid.In the EAC at Servers > Certificates, verify the server where you installed the certificate is selected. In the list of certificates, verify that the certificate has Status property value Valid.

  • 在安装了证书的服务器上的 Exchange 命令行管理程序 中,运行以下命令以确认是否列出了证书:In the Exchange Management Shell on the server where you installed the certificate, run the following command and verify that the certificate is listed:

    Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint
    

后续步骤Next steps

通过在服务器上安装证书完成待处理的证书请求后,需要在 Exchange 服务器能够使用证书进行加密前,将证书分配到一个或多个 Exchange 服务。After you complete the pending certificate request by installing the certificate on the server, you need to assign the certificate to one or more Exchange services before the Exchange server is able to use the certificate for encryption. 有关详细信息,请参阅将 证书分配给 Exchange 服务For more information, see Assign certificates to Exchange services.