Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Install a certificate for Microsoft Exchange 2010 and above

Please note: since March 2020, the TLS1.2 protocol is mandatory: More information

1 - Preparation

certificate in Exchange 2010/2013/2016/2019, if, when creating a certificate request (CSR):

  • You have used Microsoft Exchange wizard You have to launch the cmdlet Import-ExchangeCertificate

  • You have used Exchange Shell : you need to launch cmdlet Import-ExchangeCertificate (and not use the MMC !)

  • You have used our online tool Keybot : you need to generate a certificate in PFX format ("Generate PFX/PEM" button on the statut page of your certificate)

In the first two cases, you must import the certificate and the entire chain (format .p7b), not just the final certificate. This file is offered to you as a "global installation file" in the delivery email and is available on your status page, under "View the certificate", and "View the certificate in PKCS7 format".

2 - Importation of the certificate

a) Importation via shell

To import a certificate in .p7b format, use the following syntax:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "\\path\to\certificate.p7b" -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"

Import PFX file (#PKCS12) with the password in the commande line :

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\path\to\certificate.pfx -Encoding byte -ReadCount 0)) -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

For the example above:
'P@ssw0rd1' : type the password defined when creating the PFX

Please note: Your certificate may not be installed even after the execution of this command. In that case, you should follow the manual activation process described below:

In Exchange: manual activation of an already installed certificate

In the event of an import error, or during a manual import of the certificate alone by the MMC for example, you will then need to activate and associate the exchange services with your new certificate:

  • 1) Get the "Thumbprint" number of your certificate with the command:
  • Get-ExchangeCertificate -DomainName "mondomainprincipal.fr"

    Copy / Paste the "Thumbprint" number.
    If you see your certificate's name several times, add " | fl " at the end of the command and find the last certificate by comparing their expiration date or their serial number (your certificate's serial number is available on it's status page).


    Get-ExchangeCertificate -DomainName "mymaindomain.com" | fl


  • 1 - bis) Find the "Thumbprint" number via the MMC :
  • Open the MMC and select your new certificate :

    Run : MMC 
    - Add/Remove Snap in
    - Certificates : Add 
    - Computer Account : Next
    - Local Computer : Finish
    

    In "certificates" >> "personal" select your certificate

     

    Right click - Detail information
    Find the field named"Thumprint"
    Copy and paste (without spaces)

  • 2) Then activate your certificate:
  • Enable-ExchangeCertificate
    
    cmdlet Enable-ExchangeCertificate at command pipeline position 1
    Supply values for the following parameters:
    Services: SMTP,IIS,IMAP,POP
    Thumbprint: CE20B70F780CDFD72878F5496931F1A8AF1798A2
    
     
    
    Confirmer
    Remplacer le certificat SMTP par défaut existant ?
     
    
    Certificat actuel : '43B7977C504C7A84422CB815065E1DE34D52CBD3' (expiration 12/04/2015 12:42:43)
    
    Le remplacer par le certificat : 'CE20B70F780CDFD72878F5496931F1A8AF1798A2' (expiration 21/05/2016 01:59:59)
    
    [O] Oui  [T] Oui pour tout  [N] Non  [U] Non pour tout  [?] Aide (la valeur par défaut est " O ") : t
    

Error importing a certificate because of a pre-existing one

If you receive an error message saying it is impossible to import a pfx because a certificate with the same thumbprint,it is possible that you've tried to install a p7b file while your server didn't have the corresponding private key. To solve this problem, read our documentation about how to delete a certificate on Windows Server.

3 - Build a PFX from Exchange (2010 and +)

To generate a pfx, you can either search the certificate by domain, or by thumbprint. Enter one of the two following commands:

$file = Get-ExchangeCertificate -DomainName your.domain.com | Export-ExchangeCertificate -BinaryEncoded:$true -Password (Get-Credential).password

OR

$file = Export-ExchangeCertificate -Thumbprint YOUR_THUMBPRINT -BinaryEncoded:$true -Password (Get-Credential).password

Once the certificate loaded with this command, you can write the following command in a file

Set-Content -Path “c:\your-certificat.pfx” -Value $file.FileData -Encoding Byte

You can also use our certificate exportation procedure via MMC available here: "Create a certificate back-up".

Common issue:
"revocation check failed"

This issue is caused by Exchange that wants to check the CRL during the certificate importation. If its tool (using WinHTTP) can't access the web, the operation fails.

Troubleshoot: See our FAQ about OCSP protocol support

Common issue: The Certificate is Invalid for Exchange Server Usage

This generally comes from the installation of a certificate without the certification chain (.cer) via the GUI interface. We recommend using the powershell and installing our .p7b file.

In that situation, the better way to solve the issue is to request a certificate reissuance and to follow our instructions with the powershell.

You can also try to install the missing chain manually.

Non-current problem: Private key missing

When you try to activate a certificate via the Powershell Exchange console, you encounter this type of message:

    Enable-ExchangeCertificate : 
    The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
    (reason: PrivateKeyMissing).

This is because Microsoft Exchange fails to link your certificate to the private key stored in the registry.

You can attempt a repair with the following command (run from a command prompt):

    certutil -repairstore my "Certificate serial number" (to get the serial number, go to the status page of the certificate at TBS)

Once the command is executed, try again to activate your certificate with the "Enable-ExchangeCertificate" applet

Check your certificate installation with Co-Pibot:

On your certificate status page, in your customer area at TBS INTERNET, you will find a "Test the installation" button to test the correct installation of your of your certificate.

Useful links