Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-11-19

Use the Import-ExchangeCertificate cmdlet to import a certificate or chain of certificates.


Import-ExchangeCertificate -FileData <Byte[]> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-FriendlyName <String>] [-Password <SecureString>] [-PrivateKeyExportable <$true | $false>] [-Server <ServerIdParameter>] [-WhatIf [<SwitchParameter>]]
Import-ExchangeCertificate -Instance <String[]> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-FriendlyName <String>] [-Password <SecureString>] [-PrivateKeyExportable <$true | $false>] [-Server <ServerIdParameter>] [-WhatIf [<SwitchParameter>]]

Detailed Description

You can use the Import-ExchangeCertificate cmdlet for the following purposes:

  • To import a certificate or chain of certificates from a PKCS #7 file that has been issued by a certification authority (CA). PKCS #7 is the Cryptographic Message Syntax Standard, a syntax used for digitally signing or encrypting data using public key cryptography, including certificates.

  • To import an existing certificate and private key from a PKCS #12 (.pfx or .p12) file to the certificate store on the local computer. PKCS #12 is the Personal Information Exchange Syntax Standard, a file format used to store certificates with corresponding private keys protected with a password. The standard is specified by RSA Laboratories. For more information, see the PKCS #12: Personal Information Exchange Syntax Standard Web site.

    There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Before you continue, see Understanding TLS Certificates.
    In Microsoft Exchange Server 2010, to import data from a file, you must use the Get-Content cmdlet to retrieve file data and use the FileData parameter to specify the retrieved data. This can be done in a two-step process, or in a single step. Examples shown in this cmdlet use the single-step approach. For more information about importing and exporting files in Exchange 2010, see Understanding Importing and Exporting Files in the Exchange Management Shell.

The certificate may be published in Active Directory for the purposes of direct trust by using mutual TLS if the following conditions are true:

  • The certificate is marked as an SMTP TLS certificate.

  • The Subject Name on the certificate matches the fully qualified domain name (FQDN) of the local computer.

The certificate may be published in Active Directory by Edge Subscription if the following conditions are true:

  • You import the certificate to an Edge Transport server.

  • The certificate has an FQDN that matches the server FQDN.

The Import-ExchangeCertificate cmdlet imports either a certificate that's issued from an outstanding request or a PKCS #12 file.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Certificate management" entry in the Exchange and Shell Infrastructure Permissions topic.


Parameter Required Type Description




The FileData parameter specifies the content retrieved from the certificate file using the Get-Content cmdlet, as shown in "Examples" later in this topic.

For more information about the syntax required to use this parameter, see Understanding Importing and Exporting Files in the Exchange Management Shell.




The Instance parameter specifies whether to pass a whole object to the command to be processed. This parameter is mainly used in scripts where a whole object must be passed to the command.




The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.




The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory. The DomainController parameter isn't supported on the Edge Transport server role. The Edge Transport server role writes only to the Active Directory Lightweight Directory Services (AD LDS) instance.




The FriendlyName parameter specifies a friendly name for the resulting certificate. The friendly name must be less than 64 characters.

The default friendly name is Microsoft Exchange.




The Password parameter specifies the password for the private key that's imported with this command. Use the Get-Credential cmdlet to store the password variable.

The Get-Credential cmdlet prompts you for a user name and password, but only the password field is used to import the certificate. You don't have to use a real domain name or user name in the Name field. For implementation details, see "Examples" later in this topic.




The PrivateKeyExportable parameter specifies whether the private key of the certificate can be exported.




The Server parameter specifies the server name to which you want to import the certificate.




The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

Input Types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

Return Types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.



This example imports an existing certificate and private key from the PKCS #12 file ExportedCert.pfx.

Copy Code
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\ExportedCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password


This example imports a chain of certificates from the PKCS #7 file IssuedCert.p7b.

Copy Code
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\IssuedCert.p7b -Encoding byte -ReadCount 0))