Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-11-30

Use the Enable-ExchangeCertificate cmdlet to enable an existing certificate in the local certificate store for Exchange services such as Internet Information Services (IIS), SMTP, POP, IMAP, and Unified Messaging (UM).

There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Before you continue, read Understanding TLS Certificates.

Don't use the Enable-ExchangeCertificate cmdlet to enable a wildcard certificate for POP and IMAP services. To enable a wildcard certificate, you must use the Set-ImapSettings or Set-PopSettings cmdlets with the fully qualified domain name (FQDN) of the service.

Don't use the Enable-ExchangeCertificate cmdlet to enable a certificate for federation. Certificates used for federation trusts are managed by using the New-FederationTrust and Set-FederationTrust cmdlets.


Enable-ExchangeCertificate -Thumbprint <String> -Services <None | IMAP | POP | UM | IIS | SMTP | Federation> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-DoNotRequireSsl <SwitchParameter>] [-Force <SwitchParameter>] [-NetworkServiceAllowed <SwitchParameter>] [-Server <ServerIdParameter>] [-WhatIf [<SwitchParameter>]]

Detailed Description

The Enable-ExchangeCertificate cmdlet enables certificates by updating the metadata stored with the certificate. To enable an existing certificate to work with additional Exchange services, use the Enable-ExchangeCertificate cmdlet and specify the additional services.

The Enable-ExchangeCertificate cmdlet is additive. When you specify a subset of services for which a certificate is enabled, the services that aren't specified aren't removed from the Services property. If you don't want to use an existing enabled certificate for Exchange services, you must enable another certificate, and then remove the certificate you don't want to use.

Different services have different certificate requirements. For example, some services may only require a server name in the Subject Name or Subject Alternative Name fields of a certificate, whereas other services may require an FQDN. Make sure that the certificate name can support the uses required by the services you enable it for.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Certificate management" entry in the Exchange and Shell Infrastructure Permissions topic.


Parameter Required Type Description




The Services parameter specifies the services that use the certificate. Valid entries include one or more of the following:

  • IIS

  • IMAP

  • POP

  • SMTP

  • UM

  • Federation

  • None

To enable a certificate for multiple services, separate each value by using a comma. For example: -Services IMAP,POP,IIS

You can't use the Enable-ExchangeCertificate cmdlet to enable a certificate for federation. Creating or modifying a federation trust enables or modifies the manner in which certificates are used for federation.




The Thumbprint parameter specifies the certificate that you're enabling. Each certificate contains a thumbprint, which is the digest of the certificate data. To view the thumbprint of a certificate, use the Get-ExchangeCertificate cmdlet.




The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.




The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory. The DomainController parameter isn't supported on the Edge Transport server role. The Edge Transport server role writes only to the Active Directory Lightweight Directory Services (AD LDS) instance.




The DoNotRequireSsl switch specifies whether to leave IIS settings unchanged when IIS is one of the enabled services. If IIS is one of the enabled services, the cmdlet changes the default Web site settings to require SSL. Set the DoNotRequireSSL switch to $true to override this behavior and leave IIS settings unchanged.




The Force switch specifies whether to override the confirmation prompt and set the new certificate as the default certificate for TLS for internal SMTP communication. By default, when you enable a certificate for SMTP, the command prompts for confirmation.




The NetworkServiceAllowed switch specifies that the Network Service be allowed permissions to access the certificate specified, without enabling the certificate for SMTP.




The Server parameter specifies the server name on which you want to enable the certificate.




The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

Input Types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Return Types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.



This example enables a certificate for POP, IMAP, SMTP, and IIS services.

Copy Code
Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services POP,IMAP,SMTP,IIS