Microsoft removed in its latest cumulative update releases for Exchange Server the following options from the Exchange Admin Center console.

  • Import & Export Exchange Certificates
  • Complete Exchange Certificate Request
  • New Exchange Certificate Request from CA
  • Renew Exchange Certficate Request

For these options you now have to use PowerShell cmdlets.

To prevent misuse of UNC paths by attackers, we are removing parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later)


Create a new Exchange Certificate request

The RequestFile parameter that takes the UNC path as input is removed from the cmdlet. To export the request file to a UNC path, you must use the Set-Content cmdlet.

New-ExchangeCertificate -GenerateRequest -SubjectName "c=DE,o=Braincourt GmbH," -DomainName,, -PrivateKeyExportable $true | Set-Content -Path "\\localhost\D$\certreq.req"

Renew Exchange Certificate

Get-ExchangeCertificate -Thumbprint <Thumbprint Cert to renew> | New-ExchangeCertificate -GenerateRequest -KeySize 2048 -Server <ServerIdentity> | Set-Content -Path "\\localhost\D$\certreq.req"

After executing the above New-ExchangeCertificate cmdlet, you can see the pending request in the Exchange Admin Center (EAC) console.

To complete the pending request, we need to execute the Import-ExchangeCertificate cmdlet or the certificate snap-in (mmc console) as shown below.

Import Exchange Certificate

The FileName parameter that takes the UNC path as input is removed from the cmdlet. To import the certificate that’s stored in another UNC path, you must use the FileData parameter, as shown in following example:

Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('<FilePathOrUNCPath>')) [-Password (ConvertTo-SecureString -String '<Password> ' -AsPlainText -Force)] [-PrivateKeyExportable <$true | $false>] [-Server <ServerIdentity>]

Or as mentioned you just use the certificate snap-in (mmc console) on the corresponding Exchange Server to import the public signed certificate, which will also complete our pending request.


Changes in Exchange Server PowerShell cmdlets and Exchange Admin Center for UNC path inputs (KB5014278)


Renew an Exchange Server certificate