Microsoft Exchange 2010 - Install SSL Certificate
Last updated: 14/01/2016
Install an SSL Certificate on Microsoft Exchange 2010
This article shows you how to install an SSL certificate on Microsoft Exchange 2010. If you didn't generate a certificate request (CSR) yet, and didn't order a certificate, please see « Exchange 2010 SSL Certificate Request Instructions ».
Other versions of Microsoft Exchange
The documentation for installing an SSL certificate on other versions of Microsoft Exchange can be found in the following articles:
Installing root and intermediate certificates
You may have to install the Certificate Authority's root and intermediate SSL certificates if they haven't been installed on the server before. Please check out the « How to install root and intermediate SSL certificates on Microsoft IIS » for instructions.
GUI or command line?
You can install your SSL certificate either by using the graphical interface of the Microsoft Exchange Management Console, or through the command-line environment of Microsoft Exchange Management Shell, first introduced in Exchange 2007.
Installing an SSL certificate with Microsoft Exchange Management Shell
- Save the SSL certificate file you received from the Certification Authority to your server's root directory.
- Go to Start, Programs, Administrative Tools, Microsoft Exchange 2010, Exchange Management Shell.
- At the Exchange Management Shell command line, type the following command to the Import-ExchangeCertificate and Enable-ExchangeCertificate cmdlets together. Note that the syntax is entirely different from the Exchange 2007 syntax:
Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path c:\mail_server_com.crt -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services "IIS,POP,IMAP,SMTP"
The -Services parameter can be any of SMTP, IMAP, POP, IIS and UM. You can also disable a certificate by setting the -Services parameter to "None".
- Verify that your SSL certificate is enable in Exchange with the following command:
Get-ExchangeCertificate -DomainName mail.server.com
This should output a certificate thumbprint, a list of services for which it is enabled, and the Common Name of your certificate. If your certificate was not properly enabled, you can rerun the Enable-ExchangeCertificate cmdlet with the certificate's thumbprint:
Enable-ExchangeCertificate -ThumbPrint [paste thumbprint here] -Services "SMTP, IMAP, POP, IIS"
- Your SSL certificate is now installed and enabled on Microsoft Exchange Server. Test your certificate by connecting with Outlook or going to the Outlook Web Access webmail client.
- If your certificate doesn't get sent correctly, a server reboot may be required, particularly if you had to install root and intermediate certificates first.
- Your certificate is now ready for use with Exchange. Congratulations!
Installing and SSL certificate with Microsoft Exchange Management Console
- Go to Start, Programs, Administrative Tools, Microsoft Exchange 2010, Exchange Management Console.
- Click Manage Databases.
- Select Server Configuration in the left pane, select your certificate from the menu in the center of the screen, as listed by its Friendly Name, then click Complete Pending Request in the Actions pane at the right.
- Browse to the certificate file, then select Open and click Complete.
- Press F5 to refresh the page and check that the certificate now says False under Self Signed. If True is still shown, the wrong certificate has been selected, or it has been installed on the wrong server. To resolve this issue, create a new CSR on this Exchange server and reissue the certificate.
- Your SSL certificate is now installed. To enable it for use, go back to the Exchange Management Console and click Assign Services to Certificate.
- Select your server from the list and click Next.
- Select the services to secure with the SSL certificate, then click Next, Assign and Finish.
- Your certificate is now ready for use with Exchange 2010. Congratulations!