Exchange 2013 Certificate Commands

The following commands can be run from an Exchange 2013 server to create, import, export, remove, and enable certificates.

Create a Certificate

Create a new certificate request with these two commands. The second will create the request file that will be submitted to your public CA.

$NEWCERTREQ = New-ExchangeCertificate -GenerateRequest -FriendlyName "<Name of Certificate>" -KeySize 2048 -SubjectName "c=<Country>, s=<State>, l=<City>, o=<Organization>, ou=<Department>, cn=<CommonName>" -DomainName <>, <FQDNofExchangeServers> -PrivateKeyExportable $True
Set-Content -path "C:\MyCertRequest.req" -Value $NEWCERTREQ


Import a New Certificate

Import a certificate after receiving from public certificate authority (CA). This command will replace the pending certificate request with the certificate issued and received from your public CA.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\PublicCert.crt" -Encoding byte -ReadCount 0))


Get Certificate Information

Get current information of all certificates on the server. It is important to get the certificate thumbprint information for other commands. We can identify the certificate based on it not having any services assigned and the subject will contain information you entered when you created the new certificate request (i.e. the common name (CN) will be displayed in the “Subject”).



Assign Services to a Certificate

Using the Thumbprint displayed from the command above, we will enable services for use with the certificate that was just imported on the local Exchange server.

Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services SMTP,IMAP,POP,IIS


Remove a Certificate

If we ever need to, we can remove an existing (unused) certificate with a known thumbprint using this command…

Remove-ExchangeCertificate -Thumbprint <Thumbprint>


Export an Existing Certificate

We will now export an existing certificate with known thumbprint to a file that will be imported to another Exchange server in the future…

NOTE: The “path” parameter is no longer available with the Export-ExchangeCertificate command in Exchange 2013. To create a PFX file, we must utilize the Set-Content command.

$EXPORTCERTINFO = Export-ExchangeCertificate -Thumbprint <Thumbprint> -BinaryEncoded:$true -Password:(Get-Credential).password

Enter credentials when prompted and then run this command to create the export file…

Set-Content -Path "C:\ExportedCert.pfx" -Value $EXPORTCERTINFO.FileData -Encoding Byte


Import an Exported Certificate to Another Exchange Server

With the following commands, we can import a certificate that was previously exported to another Exchange server and assign services…

Import-ExchangeCertificate -Server <ExchangeServer> -FileData ([Byte[]]$(Get-Content -Path C:\ExportedCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

Enter credentials when prompted and the certificate information will be displayed, along with the thumbprint.  Next, run this command to assign services to the certificate on the server it was imported to…

Enable-ExchangeCertificate -Server <ExchangeServer> -Thumbprint <Thumbprint> -Services SMTP,IMAP,POP,IIS


The certificate process via the Exchange Management Console will greatly simplify creating, importing, exporting and assigning certificates in your environment over using the Exchange Admin Center.

Have fun!




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s