How to Export/Import SSL Certificates in Exchange Server 2016

If you have multiple Exchange servers, each one should have a valid 3rd party SSL certificate. There is no need however, to purchase different certificates for each exchange server. You can install the same certificate across all exchange servers.

First, you must purchase and install an SSL/TLS certificate on one exchange server. You can then export that certificate and import it to your remaining servers.

This tutorial will guide you through all the steps to export and import SSL/TLS certificates in Exchange Server 2016. You can also use this guide for exchange server 2013.

Exporting an SSL Certificate from Exchange Server 2016

You can export SSL certificates for Exchange Server 2016 from exchange servers using either the Exchange Admin Center (EAC) or the Exchange Management Shell (EMS). The exported certificate is stored as a password-protected binary PKCS #12 file containing the certificate’s private key. It is a suitable backup and it can also be imported to other servers, clients or devices.

Steps for using EAC to export an SSL Certificate

  1. Log on to the Exchange Admin Center (EAC).
  2. In the EAC, navigate to Servers on the features pane on the left and click on certificates at the top of the page.
  3. On the Certificates page, select the Exchange server on which the certificate is already installed, from the select server drop-down list. In the image below, the selected server is EX16-01.
  4. At this point, you should see a list of certificates installed on the selected exchange server. From the list, select the digital certificate installed for exchange services.
  5. With the certificate selected, click on (…) More options and select the Export Exchange Certificate option on the drop down menu.In the image below,the selected certificate is exchangeserver
  6. The Export Exchange Certificate wizardshouldpop up. The next step is to specify a path for the export. Since the certificate must be stored in a shared folder, make sure you create a shared folder before you proceed.
  7. Enter the following information in the wizard:
  • The file to export to – Enter the UNC path of the shared folder you have created and the filename of the certificate file you are exporting. Binary certificate files can have .crt, .cer, .p12, .der or .pfx filename extensions. In the image below, the server is EX16-01. Example:\\EX16-01\\folder\MyCertificate.PFX.
  • Password -Specify a strong password.

Click OK to complete the export wizard.

  1. To view the certificate, you can browse the shared folder that you have saved it.

Steps for using Exchange Management Shell (EMS) to export an SSL Certificate
Using the Exchange Management Shell is more involving.

  1. Run the Get-ExchangeCertificatecommandto list all your thumbprints. You can add the –Server parameter if you were not on the server when you completed the original certificate request. For example: C:\> Get-ExchangeCertificate –<ServerIdentity>
  1. Now that you have your thumbprint, run Export-ExchangeCertificate.

Example: Export-ExchangeCertificate -Thumbprint <Thumbprint> -FileName “<FilePathOrUNCPath>\<FileName>.pfx” -BinaryEncoded -Password (ConvertTo-SecureString -String ‘<Password>‘ -AsPlainText -Force) [-Server <ServerIdentity>]

  • FileName – accepts a UNC path or a local path
  • Thumbprint – This specifies the thumbprint (the digest of the certificate data) of the certificate you are exporting.
  • BinaryEncoded – This specifies how the exported file is encoded. A Base64 encoded file is created by default but using a $true command specifies DER encoding.
  • Password –This specifies the password for the private key to protect the file.
  1. Use the Set-Content command to export the data into a file. Example: C :\> Set-Content –Path “\\server\folder\MyCertificate.PFX” –Value $file.FileData –Encoding Byte

After exporting your certificate, you can now move on to importing it to another server.

Importing an SSL Certificate from Exchange Server 2016

Steps for using Exchange Admin Center (EAC) to import an SSL Certificate

  1. Go to another Exchange Server. In the EAC, navigate to Servers on the features pane on the left and click on certificatesat the top of the page.
  2. On the Certificates page, select the Exchange server where you want to install the certificate.
  3. With the exchange server selected, click on (…) Moreoptionsand select theImport Exchange Certificateoption on the drop down menu.
  4. The Import Exchange Certificate wizardshould pop up. Enterthe following information:
  • The file to import from – Enter theUNC path to the PFX file you created earlier and the filename of the certificate file. In our example above, we had saved this file to a shared folder\\Ex16-01\folder\MyCertificate.PFX.
  • Password – Enter the password you had specified.

Click Next when you are finished.

  1. Specify the server(s) to which you want to import the certificate by clicking on the Add + The select a server page should open. From the drop-down list, select the exchange server(s) where you want to apply the certificate and clickAdd. After you have added the server(s), click OK to proceed.
  2. After you have specified the server(s) to which you want to import the certificate, click on Finish to complete the import.
  3. Once you have installed the certificate on the server, you need to assign one or more Exchange Services to the certificate. Double-click the certificate and select Check the boxes beside each service you want to specify the certificate to and click Save. If a pop up appears warning that this will replace the current certificate, click Yesto proceed.

B. Steps for using Exchange Management Shell (EMS) to import an SSL Certificate

To import with the Exchange Management Shell, you will have to use the Import-ExchangeCertificatecommand.

To import a binary certificate file, use: Import-ExchangeCertificate –Filename “<FilepathorUNCpath>\<FileName>” –password (convertTo-SecureString –String ‘<password>’ –AsPlainText -Force) [-privatekeyExportable<$true | $false>] [-Server <serverIdentity>]

To import a chain of certificates file associated with a certificate, use:  Import-ExchangeCertificate –FileData ([Byte[ ] ] $ (Get-Content –Path \\server\folder\MyCertificate.PFX -Encoding byte -ReadCount 0)) –Password: (Get-Credential) .password

  • FileDatais meant to call the Get-Content
  • Path is supposed to specify the location of the PFX file
  • Password is supposed to specify the password to open the file

How do you verify the successful importation of a certificate on an Exchange Server?

You can use either of the following procedures to verify that you have successfully imported a certificate on an exchange server:

  • In the EAC, navigate Servers>Certificates. Your certificate should be displayed as Valid in the status column.
  • In the Exchange Management Shell, run the following command on the server where you installed the certificate: Get-ExchaneCertificate | where {$_.Status –eq “Valid”} | Format-List Friendlyname, Subject,CerificateDomains, Thumbprint, NotBefore, NotAfter

Leave a Reply

CommentLuv badge