HowTo create SAN certificates for use with Microsoft Exchange using CAcert

First, you have to import the CAcert root certificate to the Local Machine’s Trusted Root Certificate Store on the Exchange Server using MMC. It’s not enough to add it to the Trusted Root Certificate Store of your user.

Then you can create the Certificate Request using the following PowerShell command ( is the primary FQDN for your Exchange’s IIS, the other names are the SAN, Subject Alternative Names)

New-ExchangeCertificate -GenerateRequest -Path c:\owa_example_net.csr -KeySize 2048 -SubjectName “c=CH, s=AG, l=Wohlen, o=example, ou=IT,” –DomainName,, -PrivateKeyExportable $True

You can then post the content of the File owa_example_net.csr into the field to request a new certificate on CAcert’s webpage. I have chosen a Class 1 certificate there.

When you get the Certificate, copy and paste the content into a File owa_example_net.crt on the exchange server and import/enable it with the following PowerShell command.

Import-ExchangeCertificate -Path c:\owa_example_net.crt | Enable-ExchangeCertificate -Services “SMTP, IMAP, IIS, POP”

That’s all, your new certificate is in use immediately!