Skip to content

Install Exchange certificate with PowerShell

How to install Exchange certificate with PowerShell? You already have a certificate and you want to install it in Exchange Server. This means that you need to import the certificate in Exchange Server. After the certificate import, assign the certificate to the Exchange services. In a previous article, we showed how to import certificate in Exchange Admin Center. In this article, you will learn how to install Exchange certificate with PowerShell.

Do you have more than one Exchange Server running in the organization? You can use the same certificate for other Exchange Servers.

Install Exchange certificate with PowerShell

Before we start, place the Exchange certificate in a shared folder. Make sure to assign permissions to the folder. For example, the SYSTEM account. If you don’t give permission, you cannot import the certificate, and an error will show up.

Install Exchange certificate with PowerShell

Run Exchange Management Shell as administrator. Run the Import-ExchangeCertificate cmdlet, including the -FileName parameter, to install the Exchange certificate.

[PS] C:\>Import-ExchangeCertificate -Server "EX01-2016" -FileName "\\ex01-2016\certs\ExchangeCert.pfx" -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String "P@ssw0rd1" -AsPlainText -Force)

Thumbprint                                Services   Subject
----------                                --------   -------
0C4C00B76EB7DB236573BF79258888D32C9B753D  .......    CN=mail.exoip.com

Note: To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). Read more in the article Exchange Server certificate changes.

The -FileName parameter is not available since Exchange Server 2016 CU23 and Exchange Server CU12. Use the -FileData parameter to import the certificate.

[PS] C:\>Import-ExchangeCertificate -Server "EX01-2016" -FileData ([System.IO.File]::ReadAllBytes('\\ex01-2016\Certs\ExchangeCert.pfx')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

Thumbprint                                Services   Subject
----------                                --------   -------
0C4C00B76EB7DB236573BF79258888D32C9B753D  .......    CN=mail.exoip.com

The certificate is imported successfully with PowerShell.

Note: The certificate is not yet assigned to Exchange services. You can see that from the dots (…….) in the column Services.

Assign certificate to the Exchange Server services

If the certificate is not assigned to the Exchange Server services, it will do nothing. Assign the certificate with the Enable-ExchangeCertificate cmdlet and the -Services parameter. After running the cmdlet, press Y and press Enter.

[PS] C:\>Enable-ExchangeCertificate -Server "EX01-2016" -Thumbprint 0C4C00B76EB7DB236573BF79258888D32C9B753D -Services SMTP,IMAP,IIS

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: '9BC8DF0DC366A87E2D397DD4CD328D91533346D2' (expires 6/6/2025 8:00:12 PM)
Replace it with certificate: '0C4C00B76EB7DB236573BF79258888D32C9B753D' (expires 9/3/2020 6:22:51 PM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Verify assigned Exchange certificate

Run Get-ExchangeCertificate cmdlet to verify the assigned services.

Do you like to know more about which certificates are installed on the Exchange Server? Read Get Exchange certificate with PowerShell.

[PS] C:\>Get-ExchangeCertificate -Server "EX01-2016" | select Thumbprint, Services, NotAfter, Subject, CertificateDomains


Thumbprint         : 0C4C00B76EB7DB236573BF79258888D32C9B753D
Services           : IMAP, IIS, SMTP
NotAfter           : 9/3/2020 6:22:51 PM
Subject            : CN=mail.exoip.com
CertificateDomains : {mail.exoip.com, autodiscover.exoip.com}

The certificate is installed in Exchange Server and everything looks great. We can see the certificate assigned to the Exchange services IMAP, IIS, and SMTP.

Did this article help you to import and assign the Exchange certificate with PowerShell?

Conclusion

You learned how to install Exchange certificate with PowerShell. First, import the certificate in Exchange Server. After that, assign the certificate to the Exchange services.

I hope you enjoyed this article. You may also like Update .NET Framework in Exchange Server. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 5 Comments

  1. A great manual. It sped up my work a lot.
    I will only add that if we have (and want to install) a wildcard certificate, we cannot install it on the IMAP service. We need to modify our Enable-ExchangeCertificate command leaving only SMTP, IIS in the -Services parameter.
    Otherwise, we will get a warning in the form of:
    WARNING: This certificate with thumbprint 000…000 and subject ‘*.abc.def’ cannot used
    for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command
    Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

    Regards,
    Tommy

  2. Hello I did import the certificate and I ran into this issue when I try to Enable-ExchangeCertificate -Server “EX01-2016” -Thumbprint “myprint” -Services SMTP is prompting me for a different fingerprint than the one I want to replace? and does not expire?

    Thank you,

    Camp

  3. Hi Ali,
    I want to thank you for all the amazing articles regarding Exchange. I have relied on many of them.

    Rather than hard coding the certificate name and the export password, I have added a File Browser Object with System.Windows.Forms.OpenFileDialog to choose the certificate file and a Read-Host
    with -AsSecureString to obtain the export password.

    If the wrong password is supplied, I want to loop back and try again. Do you have some good error handling suggestions? I’ve tried to put the Import-ExchangeCertificate cmdlet into a try catch block, but I still get the ugly red text the wrong password is entered.

  4. Hello,

    Is there a way to answer “no” to Overwrite automatically in powershell
    I want to make a script to automate this task

    1. Hi Sam,

      You can skip the confirmation prompt by using the syntax: -Confirm:$false.

      So the command will look like:

      Enable-ExchangeCertificate -Server "EX01-2016" -Thumbprint 0C4C00B76EB7DB236573BF79258888D32C9B753D -Services SMTP,IMAP,IIS -Confirm:$false

Leave a Reply

Your email address will not be published. Required fields are marked *