Applies to: Exchange Server 2007
Topic Last Modified: 2008-06-10

Use the Enable-ExchangeCertificate cmdlet to enable an existing certificate that is in the local certificate store for different services.

Important:
There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Before you continue, read Creating a Certificate or Certificate Request for TLS.

Syntax

Enable-ExchangeCertificate -Thumbprint <String> -Services <None | IMAP | POP | UM | IIS | SMTP> [-DomainController <Fqdn>]

Parameters

Parameter Required Type Description

Services

Required

Microsoft.Exchange.Management.SystemConfigurationTasks.AllowedServices

Use the Services parameter to specify the services that will use the resulting certificate. Valid entries include a combination of the following:

  • IMAP

  • POP

  • UM

  • IIS

  • SMTP

  • None

To enable a certificate for multiple services, enclose the values in quotation marks and separate them by commas as in the following example:

Copy Code
-Services "IMAP, POP, IIS"

Thumbprint

Required

System.String

Use the Thumbprint parameter to specify the thumbprint of the certificate that you are enabling. Each certificate contains a thumbprint, which is the digest of the certificate data.

DomainController

Optional

Microsoft.Exchange.Data.Fqdn

To specify the fully qualified domain name (FQDN) of the domain controller that retrieves data from the Active Directory, include the DomainController parameter in the command. The DomainController parameter is not supported on computers that run the Edge Transport server role. The Edge Transport server role writes only to the local Active Directory Application Mode (ADAM) instance.

Detailed Description

The Enable-ExchangeCertificate cmdlet enables certificates when it updates the metadata that is stored with the certificate. To enable an existing certificate to work with different services, run the Enable-ExchangeCertificate command and specify the services that you want to enable. You can rerun this cmdlet if you want to add new services that use the certificate.

Remember that different services have different metadata requirements on a given certificate. In addition, the Enable-ExchangeCertificate cmdlet is only additive. That means that you can't disable or remove specific services from the certificate by using the Enable-ExchangeCertificate command.

For example, some services may only require a server name in the certificate, whereas other services may require a fully qualified domain name (FQDN). Make sure that the certificate name can support the uses required by the services you enable it for.

When you enable a certificate for the Simple Mail Transfer Protocol (SMTP) service and the certificate contains a FQDN that matches the FQDN of the local computer, the certificate may be published to the Active Directory directory service.

To run the Enable-ExchangeCertificate cmdlet, the account you use must be delegated the following:

  • Exchange Server Administrator role and local Administrators group for the target server

To run the Enable-ExchangeCertificate cmdlet on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.

Input Types

Return Types

Errors

Error Description

 

Exceptions

Exceptions Description

 

Example

The following example shows how to enable a certificate for POP and IMAP services.

Copy Code
Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services "POP, IMAP"