Ask a Question

Solution ID : SO24538

Last Modified : 05/02/2018

How to import an SSL certificate (.pfx) into a Microsoft Exchange 2010 server?

Problem

Import an SSL certificate backup (.pfx) into a Microsoft Exchange 2010 server

Solution

There are two methods to import an SSL certificate backup (.pfx) into Exchange 2010.

Method 1: Using Microsoft Management Console (MMC)

Step 1: Create an MMC Snap-in for Managing Certificates:

  1. From the Web server, click Start > Run
  2. In the text box, type mmc
  3. Click OK
  4. From the MMC menu bar, select File > Add/Remove Snap-in
  5. Click Add
  6. From the list of snap-ins, select Certificates
  7. Click Add
  8. Select Computer account
  9. Click Next
  10. Select Local computer (the computer this console is running on)
  11. Click Finish
  12. In the snap-in list window, click Close
  13. In the Add/Remove Snap-in window, click OK

Step 2: Import an SSL certificate backup (.pfx) into Microsoft Management Console (MMC):

  1. Open the MMC.
  2. On the left pane, click Certificates.
  3. On the right pane, double-click Personal.
  4. On the right pane, right-click Certificates and select All Tasks > Import (this opens the Certificate Import Wizard). Click Next.
  5. Browse to the .pfx that you want to import and click Next.
  6. Enter the password used to secure the certificate for export and then click OK.
  7. To export the certificate again from this computer, select Mark the key as exportable.
  8. Select the option Automatically select the certificate store based on the type of certificate. (This ensures all the certificates in the certification path (Root, Intermediate, and Server) are stored in the proper place. Problems may occur if a certificate is placed in the wrong store.) Click Next.
  9. Click Finish. A message confirms successful import. Click OK.
     

Step 3: Assign SSL certificate to Exchange Server 2010 Services:

  1.  Launch the Exchange Management Console
  2. Navigate to Server Management, and select the server that has the certificate installed
  3. Right click the SSL certificate you wish to assign and choose Assign Services to Certificate
  4. Click Next to continue the wizard
  5. Choose the services you wish to assign to the certificate (e.g., Internet Message Access Protocol, Post Office Protocol, Simple Mail Transfer Protocol, Internet Information Services and Unified Messaging) and click Next
  6. Click Assign to execute the change
  7. When task has completed successfully, click Finish to close the wizard
     

Method 2: Using Command Line

Import-ExchangeCertificate -Instance <String[]> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-FriendlyName <String>] [-Password <SecureString>] [-PrivateKeyExportable <$true | $false>] [-Server <ServerIdParameter>] [-WhatIf [<SwitchParameter>]]

Note: Parameters are explained below

Instance:
The Instance parameter specifies whether to pass a whole object to the command to be processed. This parameter is mainly used in scripts where a whole object must be passed to the command.
Confirm: The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.
DomainController: The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory. The DomainController parameter isn't supported on the Edge Transport server role. The Edge Transport server role writes only to the Active Directory Lightweight Directory Services (AD LDS) instance.
WhatIf: The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.