Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Install a certificate for Exchange 2007

1- Preparation

To install the certificate in Exchange 2007, launch the cmdlet Import-ExchangeCertificatein Exchange Powershell, absolutely not the MMC!

You need to install the .p7b file to intall the certificate and the entire certification chain not only the final certificate. It is the "installation overall file" of the delivery email. It is also available on your status page in the "See the certificate" section (PKCS7 format).

2- Importation

Import-ExchangeCertificate -Path c:\p7-0123456789-12345.p7b | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
Should the command fail because of an unknown "-Pat" argument, try the following command:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\p7-xxxxxxxxx-yyyy.p7b -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
See also:
To use Exchange 2007 with ISA 2006, see here:
http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/

In Exchange: manual activation of an already installed certificate

Should an error of importation occur
Import-ExchangeCertificate: Cannot import as there already is a certificate with a thumbprint of 12FD5C3DC91B159DDE7F8T14713789B7906E0C63
or after a manual importation of the certificate via the MMC, you will have to activate and link the Exchange services to your new certificate:

  • Get the "Thumbprint" number of your certificate with the command:
  • Get-ExchangeCertificate -DomainName "mymaindomain.com"
    Copy/paste the "Thumbprint" number

    If you see your certificate's name several times, add " | fl " at the end of the command and find the last certificate by comparing their expiration date or their serial number (your certificate's serial number is available on it's status page).
    Get-ExchangeCertificate -DomainName "mymaindomain.com" | fl


  • Then activate your certificate:
  • Enable-ExchangeCertificate
    
    cmdlet Get-Credential at command pipeline position 1
    Supply values for the following parameters:
    Services: SMTP,IIS,IMAP,POP
    Thumbprint: CE20B70F780CDFD72878F5496931F1A8AF1798A2
    
     
    
    Confirm
    Overwrite existing default SMTP certificate, 
    
    '43B7977C504C7A84422CB815065E1DE34D52CBD3' (expires 12/04/2015 12:42:43)
    
    with certificate,
    'CE20B70F780CDFD72878F5496931F1A8AF1798A2' (expires 21/05/2012 01:59:59)
    
    [Y] Yes  [A] Yes to All [N] No  [L] No to All [S] Suspend [?] Help (default is " Y "): Y
    

3 - Import a PFX directly

Here is the syntax to use to import a PFX, especially if you used Keybot while ordering your certificate:

Import-ExchangeCertificate -path c:\yourcertificate.pfx -Password:(Get-Credential).password | Enable-ExchangeCertificate -Services "IIS,SMTP,POP,IMAP"

Please note: the interface requires a username and a password:

  • username = toto
  • password = the PFX password

Then you'll have to go through the manual activation procedure described above.

If the command fails on parameter -Path, you can try the following command:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\ExportedCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password | Enable-ExchangeCertificate -Services "IIS,SMTP,POP,IMAP"

Please note: the interface requires a username and a password:

  • username = toto
  • password = the PFX password

Error importing a certificate because of a pre-existing one

If you receive an error message saying it is impossible to import a pfx because a certificate with the same thumbprint,it is possible that you've tried to install a p7b file while your server didn't have the corresponding private key. To solve this problem, read our documentation about how to delete a certificate on Windows Server.

4 - Export a PFX from Exchange

To generate a pfx, you can either search the certificate by domain, or by thumbprint. Enter one of the two following commands:
$file = Get-ExchangeCertificate -DomainName your.domaine.com | Export-ExchangeCertificate -BinaryEncoded:$true -Password (Get-Credential).password

OR

$file = Export-ExchangeCertificate -Thumbprint YOUR_THUMBPRINT -BinaryEncoded:$true -Password (Get-Credential).password
Once the certificate has been loaded with this command, you can write it into a file with the following command:
Set-Content -Path “c:\your-certificat.pfx” -Value $file.FileData -Encoding Byte
You can also use our certificate exportation procedure via MMC, available here: "Create a certificate back-up".

Links