skip to Main Content

Install Exchange certificate with PowerShell

How to install Exchange certificate with PowerShell? You already have a certificate and you want to install it in Exchange Server. This means that you need to import the certificate in Exchange Server. After the certificate import, assign the certificate to the Exchange services. In a previous article, we showed how to import certificate in Exchange Admin Center. In this article, you will learn how to install Exchange certificate with PowerShell.

Do you have more than one Exchange Server running in the organization? You can use the same certificate for other Exchange Servers.

Install Exchange certificate with PowerShell

Before we start, place the Exchange certificate in a shared folder. Make sure to assign permissions to the folder. For example, the SYSTEM account. If you don’t give permission, you cannot import the certificate, and an error will show up.

Install Exchange certificate with PowerShell

Run Exchange Management Shell as administrator. Run the Import-ExchangeCertificate cmdlet, including the -FileName parameter, to install the Exchange certificate.

[PS] C:\>Import-ExchangeCertificate -Server "EX01-2016" -FileName "\\ex01-2016\certs\ExchangeCert.pfx" -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String "P@ssw0rd1" -AsPlainText -Force)

Thumbprint                                Services   Subject
----------                                --------   -------
0C4C00B76EB7DB236573BF79258888D32C9B753D  .......

Note: To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). Read more in the article Exchange Server certificate changes.

The -FileName parameter is not available since Exchange Server 2016 CU23 and Exchange Server CU12. Use the -FileData parameter to import the certificate.

[PS] C:\>Import-ExchangeCertificate -Server "EX01-2016" -FileData ([System.IO.File]::ReadAllBytes('\\ex01-2016\Certs\ExchangeCert.pfx')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

Thumbprint                                Services   Subject
----------                                --------   -------
0C4C00B76EB7DB236573BF79258888D32C9B753D  .......

The certificate is imported successfully with PowerShell.

Note: The certificate is not yet assigned to Exchange services. You can see that from the dots (…….) in the column Services.

Assign certificate to the Exchange Server services

If the certificate is not assigned to the Exchange Server services, it will do nothing. Assign the certificate with the Enable-ExchangeCertificate cmdlet and the -Services parameter. After running the cmdlet, press Y and press Enter.

[PS] C:\>Enable-ExchangeCertificate -Server "EX01-2016" -Thumbprint 0C4C00B76EB7DB236573BF79258888D32C9B753D -Services SMTP,IMAP,IIS

Overwrite the existing default SMTP certificate?

Current certificate: '9BC8DF0DC366A87E2D397DD4CD328D91533346D2' (expires 6/6/2025 8:00:12 PM)
Replace it with certificate: '0C4C00B76EB7DB236573BF79258888D32C9B753D' (expires 9/3/2020 6:22:51 PM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): Y

Verify assigned Exchange certificate

Run Get-ExchangeCertificate cmdlet to verify the assigned services.

Do you like to know more about which certificates are installed on the Exchange Server? Read Get Exchange certificate with PowerShell.

[PS] C:\>Get-ExchangeCertificate -Server "EX01-2016" | select Thumbprint, Services, NotAfter, Subject, CertificateDomains

Thumbprint         : 0C4C00B76EB7DB236573BF79258888D32C9B753D
Services           : IMAP, IIS, SMTP
NotAfter           : 9/3/2020 6:22:51 PM
Subject            :
CertificateDomains : {,}

The certificate is installed in Exchange Server and everything looks great. We can see the certificate assigned to the Exchange services IMAP, IIS, and SMTP.

Did this article help you to import and assign the Exchange certificate with PowerShell?


To sum it up, you learned how to install Exchange certificate with PowerShell. Import the certificate in Exchange Server. After that, assign the certificate to the Exchange services. Do you use the Exchange Admin Center or PowerShell? I recommend PowerShell as it’s faster to install the certificate.

I hope you enjoyed this article. You may also like Update .NET Framework in Exchange Server. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 4 Comments

  1. Hello I did import the certificate and I ran into this issue when I try to Enable-ExchangeCertificate -Server “EX01-2016” -Thumbprint “myprint” -Services SMTP is prompting me for a different fingerprint than the one I want to replace? and does not expire?

    Thank you,


  2. Hi Ali,
    I want to thank you for all the amazing articles regarding Exchange. I have relied on many of them.

    Rather than hard coding the certificate name and the export password, I have added a File Browser Object with System.Windows.Forms.OpenFileDialog to choose the certificate file and a Read-Host
    with -AsSecureString to obtain the export password.

    If the wrong password is supplied, I want to loop back and try again. Do you have some good error handling suggestions? I’ve tried to put the Import-ExchangeCertificate cmdlet into a try catch block, but I still get the ugly red text the wrong password is entered.

  3. Hello,

    Is there a way to answer “no” to Overwrite automatically in powershell
    I want to make a script to automate this task

    1. Hi Sam,

      You can skip the confirmation prompt by using the syntax: -Confirm:$false.

      So the command will look like:

      Enable-ExchangeCertificate -Server "EX01-2016" -Thumbprint 0C4C00B76EB7DB236573BF79258888D32C9B753D -Services SMTP,IMAP,IIS -Confirm:$false

Leave a Reply

Your email address will not be published. Required fields are marked *