How to install a SSL certificate on Exchange 2007 using PowerShell

The CSR generation instructions for the certificate activation can be checked here.

After the certificate is issued, you will need to install it on the Exchange server. You can do it using Exchange Management Shell following simple steps below:

  • Copy the certificate you received in the email to your server to any accessible location, for instance to disc C:/
  • Enter Exchange Management Shell. Click Start > All Programs > Microsoft Management Server 2007 > Exchange Management Shell
  • Run the certificate import and enable commands:

Import-ExchangeCertificate -Path C:\mail_ssl-tutorials_com.cer

Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"  

After executing these two commands the certificate should be imported to Exchange and enabled for the following services: SMTP, IMAP, POP3 and IIS (web). You can list any combination and order of the mentioned services.

  • To verify that your certificate is enabled, you can enter the following command:

Get-ExchangeCertificate -DomainName

As a result, you will see the certificate thumbprint, the services for which the certificate was enabled and the certificate details (including its common name). In Services column, letters S I P W stand for SMTP, IMAP, POP3 and Web (IIS) respectively.

  • If the certificate was not enabled properly, re-run the modified enable command indicating the certificate thumbprint:

Enable-ExchangeCertificate -Thumbprint [thumbprint value] -Services "SMTP, IMAP, POP, IIS"

  • If you received and uploaded the certificate in PEM-encoded format (the file extension will be *.crt), you may also need to import intermediate and root certificates on the server using Microsoft Management Console. You can use the guides for COMODO certificates.

If the certificate was sent to you in the PKCS#7 format (the file extensions can be *.cer, *.p7b, *.p7s), this step is not required. All intermediate certificates will be already included in the PKCS#7 certificate file.

  • Restart the service and check if the certificate is working properly by connecting via browser, ActiveSync or mail client. If the server does not return the intermediate certificates, you may need to reboot the whole web server after importing intermediate certificates in MMC. Be aware that this will cause a temporary service downtime.
Powered by Zendesk