Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range

Install a certificate for Microsoft Exchange 2010/2013/2016/2019

1- Preparation

To install a certificate in Exchange 2010/2013/2016/2019:
  • If you used the helper to generate your certificate request, use the helper to import it (in the Exchange Management Console, at the Server Organization root, choose Import Exchange Certificate.)
  • If you used the Shell Exchange, launch the cmdlet Import-ExchangeCertificate (do not use the MMC!)
In both cases you need to import the .cer, .crt, .der, .p12 ou .pfx or the file to install the certificate and its entire chain (not only the end certificate). This file is proposed as an "installation global file" in the delivery e-mail. It is also available on your status page, "see the certificate" button in PKCS7 format.

  • Or import directly a file .p7b

2- Importation through the shell

To import a binary certificate file (PKCS #12 .cer, .crt, .der, .p12 or .pfx files), use the following syntaxe:

Legacy syntax (unavailable on most installs):

Import-ExchangeCertificate -Path c:\p7-0123456789-12345.p7b | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"

Should the command fail because of an unknown "-Path" argument, try the following command:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\p7-xxxxxxxxx-yyyy.p7b -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"

Import PFX file (#PKCS12) with the password in the commande line :

Import-ExchangeCertificate -FileName "\\FileServer01\Data\XXXXXXXX.pfx" -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

"XXXXXXXX.pfx" : PFX file name (or .p12)
'P@ssw0rd1': indicate the password defined during the CSR generation

Please note: Your certificate may not be installed even after the execution of this command. In that case, you should follow the manual activation process described below:

In Exchange: manual activation of an already installed certificate

Should an error of importation occur, or after a manual importation of the certificate via the MMC, you will have to activate and link the Exchange services to your new certificate:

  • 1) Get the "Thumbprint" number of your certificate with the command:
  • Get-ExchangeCertificate -DomainName ""
    Copy/paste the "Thumbprint" number

    If you see your certificate's name several times, add " | fl " at the end of the command and find the last certificate by comparing their expiration date or their serial number (your certificate's serial number is available on it's status page).
    Get-ExchangeCertificate -DomainName "" | fl

  • 1 - bis) Find the "Thumbprint" number via the MMC :
  • Open the MMC and select your new certificate :

    Run : MMC 
    - Add/Remove Snap in
    - Certificates : Add 
    - Computer Account : Next
    - Local Computer : Finish
    In "certificates" >> "personal" select your certificate
    Right click - Detail information
    Find the field named"Thumprint"
    Copy and paste (without spaces)

  • 2) Then activate your certificate:
  • Enable-ExchangeCertificate
    cmdlet Enable-ExchangeCertificate at command pipeline position 1
    Supply values for the following parameters:
    Services: SMTP,IIS,IMAP,POP
    Thumbprint: CE20B70F780CDFD72878F5496931F1A8AF1798A2
    Overwrite existing default SMTP certificate,
    '43B7977C504C7A84422CB815065E1DE34D52CBD3' (expires 12/04/2015 12:42:43)
    with certificate,
    'CE20B70F780CDFD72878F5496931F1A8AF1798A2' (expires 21/05/2012 01:59:59)?
    [Y] Yes  [A] Yes to All [N] No  [L] No to All [S] Suspend [?] Help (default is " Y "): Y

To import a .P7B file use the following syntax:

Import-ExchangeCertificate -FileData ([Byte[]](Get-Content -Encoding Byte -Path "\\FileServer01\Data\Chain of Certificates.p7b" -ReadCount 0))]

Error importing a certificate because of a pre-existing one

If you receive an error message saying it is impossible to import a pfx because a certificate with the same thumbprint,it is possible that you've tried to install a p7b file while your server didn't have the corresponding private key. To solve this problem, read our documentation about how to delete a certificate on Windows Server.

4 - Generate a PFX from Exchange 2010 / 2013 / 2016

To generate a pfx, you can either search the certificate by domain, or by thumbprint. Enter one of the two following commands:
$file = Get-ExchangeCertificate -DomainName | Export-ExchangeCertificate -BinaryEncoded:$true -Password (Get-Credential).password


$file = Export-ExchangeCertificate -Thumbprint YOUR_THUMBPRINT -BinaryEncoded:$true -Password (Get-Credential).password
Once the certificate has been loaded with this command, you can write it into a file with the following command:
Set-Content -Path “c:\your-certificat.pfx” -Value $file.FileData -Encoding Byte
You can also use our certificate exportation procedure via MMC available here: "Create a certificate back-up".

Common issue:
"revocation check failed"

This issue is caused by Exchange that wants to check the CRL during the certificate importation. If its tool (using WinHTTP) can't access the web, the operation fails.

Troubleshoot: See our FAQ about OCSP protocol support

Common issue: The Certificate is Invalid for Exchange Server Usage

You probably have install the certificate without its certification chain (.cer) via the GUI interface. We advise to use the powershell to install our .p7b file.

In that situation, the better way to solve the issue is to request a certificate reissuance and to follow our instructions with the powershell.

You can also try to install the missing chain manually.

Check your certificate installation with Co-Pibot:

On your certificate status page, click on the button "Check your certificate" to make sure your certificate has been correctly installed.