skip to Main Content

How to import certificate in Exchange Server

How to install a certificate in Exchange Server? It’s important to secure the Exchange Server with an SSL certificate. We have an SSL certificate that we like to import in Exchange Server. There are two ways to do that. One way is to install the certificate in Exchange Admin Center. The other way is to install Exchange certificate with PowerShell. In this article, we will import a certificate with PowerShell and Exchange Admin Center.

Do you have more than one Exchange Server running in the organization? You can use the same certificate for other Exchange Servers.

Create shared folder

Create a shared folder and place the SSL certificate in the folder. Make sure to assign permissions to the folder. For example, the SYSTEM account. If you don’t give permission, you cannot import the certificate, and an error will appear.

Import certificate in Exchange Server shared folder

Import certificate in Exchange Server

Starting from Exchange Server 2016 CU23 and later and Exchange Server 2019 CU12 and later, the only option to import the Exchange certificate is with PowerShell (Exchange Management Shell).

Note: To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). Read more in the article Exchange Server certificate changes.

Import Exchange certificate with PowerShell

Run Exchange Management Shell as administrator. Next, run the below command to import the certificate.

[PS] C:\>Import-ExchangeCertificate -Server "EX01-2016" -FileData ([System.IO.File]::ReadAllBytes('\\ex01-2016\Certs\ExchangeCert.pfx')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

Thumbprint                                Services   Subject
----------                                --------   -------
0C4C00B76EB7DB236573BF79258888D32C9B753D  .......    CN=mail.exoip.com

Read the article Install Exchange certificate with PowerShell.

Import Exchange certificate in Exchange Admin Center

Suppose you have Exchange Server which is not running Exchange Server 2016 CU23 and later or Exchange Server 2019 CU12 and later, you can import the certificate in Exchange Admin Center.

Sign in to Exchange Admin Center. Click servers in the feature pane and click certificates in the tabs. Click (More options) and select Import Exchange Certificate.

Import certificate in Exchange Server import option

A new window will show up. Insert the path to the Exchange certificate. Fill in the password field. If there is no password configured for the certificate, you can leave it empty. Click Next.

Import certificate in Exchange Server wizard

Click + (Add) to select the Exchange Server.

Import certificate in Exchange Server specify servers

Select the Exchange Server. This is the server where the new certificate is going to be installed. Click Add and OK.

In my example, it’s EX01-2016.

Import certificate in Exchange Server select server

Click Finish.

Import certificate in Exchange Server finish wizard

The certificate is imported in Exchange Server. The next step is to assign the certificate to the Exchange services.

Assign Exchange services to certificate

Click on the imported certificate and follow with the Edit icon.

Import certificate in Exchange Server imported

Click services in the left menu. Specify the Exchange services to assign this certificate to. Click Save.

In my example, the services SMTP, IMAP, and IIS are checked.

Import certificate in Exchange Server specify Exchange services

A warning appears if you want to overwrite the existing certificate. Click Yes.

Import certificate in Exchange Server warning certificate overwrite

Click the certificate in the list view. See the assigned services in the details pane. It’s assigned to the services that we selected.

In the next step, we will check the secured SSL certificate on the Exchange Server.

Test imported Exchange certificate

Go to Outlook Web Access (OWA) URL or Exchange Admin Center (EAC) URL. You can verify that the website is secure.

The certificate is successfully imported in Exchange Server. Did it help you to install the certificate in Exchange Server?

Keep on reading: Remove Exchange certificate with PowerShell »

Conclusion

You learned how to import certificate in Exchange Server. Place the certificate in a shared folder before you start to import the certificate with PowerShell or with the import wizard in Exchange Admin Center.

Remember that in the latest Exchange Server versions, the import certificate functionality in Exchange Admin Center is removed and the only way to import the Exchange certificate is with PowerShell.

When the certificate is imported, you’re not done. That’s because the new certificate needs to be assigned to the Exchange services. After assigning the services, verify the certificate by browsing to the OWA URL in your favorite browser.

Did you enjoy this article? You may also like the article Server Error in ‘/owa’ Application Exchange 2016. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 7 Comments

  1. Hi Ali,
    I replaced the old certificate with a new one and removed the old certificate. but still, users get an expired certificate warning when start outlook. Do I need to make any other settings?

  2. Hi Ali

    Import and export through GUI is no longer an option in the latest Exchange 2019 cumulative update. I have tried import with the -PrivateKeyExportable set to true in the cmdlet below to enable subsequent export, but so far likely with some syntax or other problems? At least it doesn’t take the switch and can’t then be exported to .pfx with password! The .crt is bundled with .req originally created on one server and will if imported to another server have coinciding thumbprint, so that don’t works. Alla other cmdlet seem to be working, but so far I failed in exporting the private key. Any thoughts of the syntax or other ideas of a way forward?

    BR / Bengt

    Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes(”)) [-Password (ConvertTo-SecureString -String ‘ ‘ -AsPlainText -Force)] [-PrivateKeyExportable ] [-Server ]

    1. Hi Bengt,

      You can run the following commands to export the certificate, including private key:

      $cert = Export-ExchangeCertificate -Thumbprint 'E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9' -BinaryEncoded -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)
      [System.IO.File]::WriteAllBytes('\\ex01-2016\Certs\ExchangeCert.pfx', $cert.FileData)

      The following command will import the certificate to a specific Exchange Server:

      Import-ExchangeCertificate -Server "EX01-2016" -FileData ([System.IO.File]::ReadAllBytes('\\ex01-2016\Certs\ExchangeCert.pfx')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

      I updated the article with the Exchange Server certificate changes.

  3. I noticed this feature disappeared after CU12 update.
    I’m not sure if it went away after updating CU12 or after deploying a new mailbox server.

    1. That is correct. It’s now only possible to manage certificates from Exchange Management Shell.

      To prevent misuse of UNC paths by attackers, Microsoft removed parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all Cumulative Update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later).

      Read more in the article Exchange Server certificate changes.

  4. Hey Ali

    I just installed a second Exchange Server and the MS Exchange Server Auth Certificate is missing.

    Did that ever happened to you as well?

Leave a Reply

Your email address will not be published.