As long as I can remember I have been creating, updating, renewing, exporting and importing Exchange certificates on Exchange servers.
This morning I had to renew my own Exchange certificate, and my PowerShell command Export-ExchangeCertificate failed on the -FileName option so it would not accept the option to store the file somewhere. This is strange, because in our Exchange 2016/2019 book that was released less then a year ago we were able to use the -FileName option.
It turned out that for the Export-ExchangeCertificate and Import-Certificate the -FileName option was removed because of security concerns. In more detail, the -FileName option accepts a UNC path which makes it possible for compromised servers to access other servers using UNC paths.
The way to export a certificate in Exchange 2016 CU23 and Exchange 2019 CU12 (and higher) is to import the certificate in a variable and store this in a file:
[PS] C:\> $Cert = Export-ExchangeCertificate -BinaryEncoded -Thumbprint <Thumbprint> -BinaryEncoded -Password (ConvertTo-SecureString -String 'Pass1word' -AsPlainText -Force) [PS] C:\> [System.IO.File]::WriteAllBytes('C:\Install\CertExport.pfx', $Cert.FileData)
For importing certificates it is similar, the -FileName is removed from the commandlet in Exchange 2016 CU23 and Exchange 2019 CU12 (and higher), and the -FileData needs to be used:
[PS] C:\> Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path "<local or UNC path>" -Encoding byte)) -Password (ConvertTo-SecureString -String 'Pass1word' -AsPlainText -Force)
Note. For Exchange 2013 server the -FileName option can still be used.
More information can be found on https://docs.microsoft.com/en-us/powershell/module/exchange/export-exchangecertificate?view=exchange-ps and https://docs.microsoft.com/en-us/powershell/module/exchange/import-exchangecertificate?view=exchange-ps