Export the certificate in Exchange Server


We like to export the certificate to Exchange Server and import the certificate into the newly installed Exchange Server. It’s crucial to install an SSL certificate on the Exchange Server to secure the connections between the server and clients. 

how to export certificates in Exchange Server with PowerShell and Exchange Admin Center.


Create shared folder

Sign in to the Exchange Server. This can be the new Exchange Server or one that is already installed and configured. Create a folder on the (C:) drive and give it the name Certs. Right-click the Certs folder and share this folder.

Assign permissions to the folder:

  • Your account (administrator) – Permissions Change/Read Allow
  • SYSTEM – Permissions Change/Read Allow
How to export certificate in Exchange Server create shared folder

Browse to the shared Cert folder path and verify that you can open the folder before proceeding to the next step.

How to export certificate in Exchange Server verify shared folder access

Export Exchange certificate

Starting from Exchange Server 2016 CU23 and later and Exchange Server 2019 CU12 and later, the only option to export the Exchange certificate is with PowerShell (Exchange Management Shell).

Note: To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). 

Export Exchange certificate with PowerShell

Run Exchange Management Shell as administrator. Next, run the below two commands to export the certificate.

$cert = Export-ExchangeCertificate -Thumbprint 'E0BDD1F47CA74B3FC3E6D84DD4AF86C1E7141DC9' -BinaryEncoded -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)
[System.IO.File]::WriteAllBytes('\\ex01-2016\Certs\ExchangeCert.pfx', $cert.FileData)

Export Exchange certificate from Exchange Admin Center

Suppose you have Exchange Server which is not running Exchange Server 2016 CU23 and later or Exchange Server 2019 CU12 and later, you can export the certificate from Exchange Admin Center.

Sign in to Exchange Admin Center. Click servers in the feature pane and click certificates in the tabs. Select the Exchange Server. Click on the Exchange certificate that you want to export.

How to export certificate in Exchange Server select certificate

Click in the toolbar on  (More options) and select Export Exchange Certificate.

How to export certificate in Exchange Server toolbar export Exchage certificate

Place the path you created in the first step and add a name for the certificate, including .pfx file name extension. In our example, it’s \\EX01-2016\certs\ExchangeCert.pfx. Protect the certificate with a password and click OK.

How to export certificate in Exchange Server file to export and passwordVerify Exchange certificate export

Browse to the path and verify that the Exchange certificate is exported with success.

That’s it. Did this help you to export the Exchange certificate?


Conclusion

You learned how to export certificates in Exchange Server. Create a shared folder and assign permissions before you start to export the certificate with PowerShell or with the export wizard in Exchange Admin Center.

Remember that in the latest Exchange Server versions, the export certificate functionality in Exchange Admin Center is removed and the only way to export the Exchange certificate is with PowerShell.


Import the certificate in Exchange Server


It’s important to secure the Exchange Server with an SSL certificate. We have an SSL certificate that we like to import into Exchange Server. There are two ways to do that. One way is to install the certificate in Exchange Admin Center. The other way is to install the Exchange certificate with PowerShell. This article will import a certificate with PowerShell and Exchange Admin Center.

Do you have more than one Exchange Server running in the organization? You can use the same certificate for other Exchange Servers.


Create shared folder

Create a shared folder and place the SSL certificate in the folder. Make sure to assign permissions to the folder. For example, the SYSTEM account. If you don’t give permission, you cannot import the certificate, and an error will appear.

Import certificate in Exchange Server shared folder

Import certificate in Exchange Server

Starting from Exchange Server 2016 CU23 and later and Exchange Server 2019 CU12 and later, the only option to import the Exchange certificate is with PowerShell (Exchange Management Shell

Note: To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). 

Import Exchange certificate with PowerShell

Run Exchange Management Shell as administrator. Next, run the below command to import the certificate.

[PS] C:\>Import-ExchangeCertificate -Server "EX01-2016" -FileData ([System.IO.File]::ReadAllBytes('\\ex01-2016\Certs\ExchangeCert.pfx')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

Thumbprint                                Services   Subject
----------                                --------   -------
0C4C00B76EB7DB236573BF79258888D32C9B753D  .......    CN=mail.exoip.com


Import Exchange Certificate in Exchange Admin Center

Suppose you have Exchange Server which is not running Exchange Server 2016 CU23 and later or Exchange Server 2019 CU12 and later, you can import the certificate in Exchange Admin Center.

Sign in to Exchange Admin Center. Click servers in the feature pane and click certificates in the tabs. Click  (More options) and select Import Exchange Certificate.

Import certificate in Exchange Server import option

A new window will show up. Insert the path to the Exchange certificate. Fill in the password field. If there is no password configured for the certificate, you can leave it empty. Click Next


click + (Add) to select the Exchange Server.

Import certificate in Exchange Server specify servers

Select the Exchange Server. This is the server where the new certificate is going to be installed. Click Add and OK.

In my example, it’s EX01-2016.

Import certificate in Exchange Server select server

Click Finish.

Import certificate in Exchange Server finish wizard

The certificate is imported into Exchange Server. The next step is to assign the certificate to the Exchange services.

Assign Exchange services to certificate

Click on the imported certificate and follow with the Edit icon.

Import certificate in Exchange Server imported

Click services in the left menu. Specify the Exchange services to assign this certificate to. Click Save.

In my example, the services SMTPIMAP, and IIS are checked.

Import certificate in Exchange Server specify Exchange services

A warning appears if you want to overwrite the existing certificate. Click Yes.

Import certificate in Exchange Server warning certificate overwrite

Click the certificate in the list view. See the assigned services in the details pane. It’s assigned to the services that we selected.

In the next step, we will check the secured SSL certificate on the Exchange Server.

Test imported Exchange certificate

Go to Outlook Web Access (OWA) URL or Exchange Admin Center (EAC) URL. You can verify that the website is secure.

The certificate is successfully imported into Exchange Server. Did it help you to install the certificate in Exchange Server?


Conclusion

You learned how to import certificates in Exchange Server. Place the certificate in a shared folder before you start to import the certificate with PowerShell or with the import wizard in Exchange Admin Center.

Remember that in the latest Exchange Server versions, the import certificate functionality in Exchange Admin Center is removed and the only way to import the Exchange certificate is with PowerShell.

When the certificate is imported, you’re not done. That’s because the new certificate needs to be assigned to the Exchange services. After assigning the services, verify the certificate by browsing to the OWA URL in your favorite browser.

Create a certificate in Exchange Server

 

How to create a certificate in Exchange Server? It’s important to secure the connections to Exchange Server with an SSL certificate. Let’s look at how to generate a certificate request, complete the certificate request, and assign the services to the certificate. Use the same steps in this article to renew a third-party certificate in Exchange Server.


Create shared folder

Sign in to the Exchange Server. This can be the new Exchange Server or one that is already installed and configured. Create a folder on the (C:) drive and give it the name Certs. Right-click the Certs folder and share this folder.

Assign permissions to the folder:

  • Your account (administrator) – Permissions Change/Read Allow
  • SYSTEM – Permissions Change/Read Allow
Assign permissions to folder

Browse to the shared Cert folder path and verify that you can open the folder before proceeding to the next step.

Check shared folder

Create Exchange certificate

Starting from Exchange Server 2016 CU23 and later and Exchange Server 2019 CU12 and later, the only option to create the Exchange certificate is with PowerShell (Exchange Management Shell).

Note: To prevent misuse of UNC paths by attackers, Microsoft removed the parameters that take UNC paths as inputs from the Exchange Server PowerShell cmdlets and the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later). 

Generate an Exchange certificate request

Run Exchange Management Shell as administrator. Run the New-ExchangeCertificate cmdlet and fill in the details:

  • Server: Specifies the Exchange Server to generate the request on.
  • GenerateRequest: Prepares a 3rd party certificate request.
  • FriendlyName: The friendly name of the certificate.
  • PrivateKeyExportable: Allow you to export/import the certificate to other Exchange Servers.
  • SubjectName: The subject field of the certificate request.
  • DomainName: Specifies one or more FQDNs
[PS] C:\>$txtrequest = New-ExchangeCertificate –Server "EX01-2019" –GenerateRequest –FriendlyName "Exchange Certificate 3rd party" –PrivateKeyExportable $true –SubjectName "c=NL, s=South Holland, l=The Hague, o=EXOIP, ou=IT, cn=mail.exoip.com" –DomainName mail.exoip.com,autodiscover.exoip.com

Run the second command to export the certificate request to the shared folder.

[PS] C:\>[System.IO.File]::WriteAllBytes('\\ex01-2019\Certs\ExchangeCert.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

Sign in to Exchange Admin Center. Go to servers > certificates. Verify that you see the Exchange certificate with the Pending request status.

Create certificate in Exchange Server pending request

Process Exchange certificate request

Go to the shared folder and open ExchangeCert.req with Notepad.

Create certificate in Exchange Server open cert request

Next, copy the certificate request.

Create certificate in Exchange Server copy new certificate request

Sign in to the third-party Certificate Authority. This can be any of your choices. Ensure that you select a multi-domain certificate because you have more than one domain name in the certifica

Paste the copied certificate request and check that the CSR information is correct. It will show the company name and the domains.

Create certificate in Exchange Server CSR information

Proceed further with the payment.

The Certificate Authority will ask you to validate the domain. This can be through an email sent to an email recipient listed on the domain registration or by adding a record in the public DNS.

Complete Exchange certificate request

The certificate is ready for you to download from the Certificate Authority. Download and unpack the certificate from the Certificate Authority to the Exchange Server shared folder.

Give the certificate an accessible name. In our example, the certificate name is Exoip.crt.

Create certificate in Exchange Server download certificate to shared folder

Run the Import-ExchangeCertificate cmdlet to complete the pending certificate.

[PS] C:\>Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('\\ex01-2019\Certs\Exoip.crt')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)

The Exchange certificate will show the status Valid.


Assign Exchange services to certificate

Double-click the certificate and copy the certificate thumbprint.

Create certificate in Exchange Server copy certificate thumbprint

Run the Enable-ExchangeCertificate cmdlet to assign services to the certificate. Fill in the thumbprint value which you copied.

[PS] C:\>Enable-ExchangeCertificate -Server "EX01-2019" -Thumbprint 6C31EB21621378CB5454A32F2DF0D1F87FAF69C5 -Services SMTP,IMAP,IIS -Force

Restart IIS

Restart the Internet Information Services (IIS) on the Exchange Server.

[PS] C:\iisreset

Verify new Exchange certificate

Go to Outlook Web Access (OWA) URL or Exchange Admin Center (EAC) URL. Verify that the website connection is secure. Also, check that the Outlook client starts without any errors.

Create certificate in Exchange Server verify certificate

Copy certificate to another Exchange Server

Suppose you have more than one Exchange Server. Then you don’t have to do all the steps again. Instead, you can export the certificate and import it to the other Exchange Servers 

Conclusion

to create a certificate in Exchange Server. First, generate a certificate request. Next, complete the certificate request. As of last, assign the services to the certificate. The same steps apply when you want to renew an Exchange Server third-party certificate.