Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-08-25

Microsoft Exchange Server 2010 creates a self-signed certificate during installation that uses all the server and domain names that are known to it at the time of installation. However, you can also use certificates that are signed by a Certification Authority (CA). After you have sent the certificate request to a CA, the CA issues a certificate or chain of certificates. In both cases, the certificates are delivered as files that you must install with the Import-ExchangeCertificate cmdlet.

Do not use the Certificate Manager snap-in to import the certificates for any service on an Exchange server. Using the Certificate Manager snap-in to import certificates on Exchange servers will fail. Therefore, TLS or other Exchange certificate services will not work.

Looking for other management tasks related to certificates? Check out Certificates.


Use the Shell to install certificates issued by a CA

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Certificate management" entry in the Transport Permissions topic.

You can't use the EMC to install certificates issued by a CA.

You use the Import-ExchangeCertificate cmdlet to install a certificate issued by your CA. The following example shows how to import and enable a certificate for SMTP TLS:

Copy Code
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\newcert.cer -Encoding Byte -ReadCount 0)) | Enable-ExchangeCertificate -Services SMTP

The following example shows how to import a certificate and enable it for a Client Access server that supports POP3 clients.

Copy Code
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\newcert.p7b -Encoding Byte -ReadCount 0)) | Enable-ExchangeCertificate -Services IIS,POP