Important Update: Changes to Certificate Management in Exchange Server Starting with cumulative update (CU) releases for Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later), the option to import or export Exchange certificates through the Exchange Control Panel (ECP) has been removed. You must now use PowerShell cmdlets to manage the import or export of Exchange certificates. For more details, refer to the official Microsoft support article. |
If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see the CSR creation instructions for Microsoft servers.
How to install your SSL certificate in Exchange
In the instructions below, modify the text in bold italics to match your configuration (filename, domain, or certificate thumbprint).
1. Download and open the ZIP file containing your certificate. Your certificate file will be named your_domain_name.cer.
2. Copy your_domain_name.cer to C:\Desktop on your Exchange server.
3. Open PowerShell.
◦Press the “Windows” key + “R” to open the Run dialog
◦Type “powershell” into the Run dialog
◦Press “Ctrl” + “Shift” + “Enter” or press “OK” to open PowerShell with elevated privileges
4. Run the following commands in PowerShell to import and enable your certificate (both commands are run on the same line, separated by a pipe character):
Import-ExchangeCertificate -Path C:\Desktop\your_domain_name.cer | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS" |
The Services option can be any combination of these values: IMAP, POP, UM, IIS, SMTP. To disable a certificate, set the Services parameter to 'None'.
For further reading about the Exchange commands, visit Microsoft’s Exchange Server TechCenter.
5. Verify that your certificate is enabled by running the Get-ExchangeCertificate command:
Get-ExchangeCertificate -DomainName your.domain.name |
Example:
In the Services column, letters SIP and W stand for SMTP, IMAP, POP3, and Web (IIS).
If your certificate isn't properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument like this:
Enable-ExchangeCertificate -ThumbPrint [paste_your_thumbprint] -Services "SMTP, IMAP, POP, IIS" |
6. Test your certificate by connecting to your server with Microsoft Edge (or Chrome), ActiveSync, or Outlook
If using ISA 2004 or ISA 2006, you need to reboot your servers. Some customers have reported that ISA services won't send the intermediate certificate until after a reboot.
Exporting to your ISA Server (VERY IMPORTANT)
When exporting your certificate, make sure to include all certificates in the certification chain when prompted. Otherwise, your certificate will not work properly.
If you are currently using an ISA (Internet Security and Acceleration) server in front of your Exchange server, or need to export your SSL certificate to any other Microsoft server type, see the Export Your SSL Certificate Using the DigiCert Certificate Utility (PFX Format and PEM Format) instructions for a step-by-step walkthrough.