In this guide, you will learn how to install an SSL/TLS certificate on Microsoft Exchange Server. We cover the modern method for Exchange 2016, 2019, and the new Exchange Server Subscription Edition (SE), plus archival steps for legacy versions.
Exchange spans many releases, and the certificate workflow differs between them, so check your Exchange version and cumulative update (CU) before you begin. If you have already generated your CSR and received the issued certificate, skip ahead to Install an SSL certificate on Exchange.
How to generate a CSR code in Microsoft Exchange
Before you can install a certificate, you need to obtain one from a trusted CA (Certificate Authority), and that starts with a CSR (Certificate Signing Request). A CSR is a block of encoded text that holds your contact and organization details. You have two options:
- Generate the CSR automatically with our CSR Generator.
- Follow our step-by-step tutorial on how to create a CSR in Microsoft Exchange.
Once the Certificate Authority validates your request and issues the certificate, you can install it on your Exchange server using the steps below.
Pre-installation requirements
This guide covers all supported Exchange versions, including legacy setups, CU-specific differences, and the Exchange Server Subscription Edition (SE) that Microsoft released in 2025. Before you start, gather the following.
What you’ll need
- A .pfx (PKCS#12) file that contains your SSL certificate, its private key, and the full certificate chain (intermediate and root).
- The password you set on that .pfx file.
- Administrative access to the Exchange server and, for the shell method, the Exchange Management Shell.
If you generated the CSR on the Exchange server itself, the private key already lives there as a pending request, and the CA usually returns a .cer or .crt file that you complete against that request (see the legacy 2010 steps for the “Complete pending request” flow). If instead you hold separate .crt, .cer, or .pem files plus the key, combine them into a single .pfx first. You can do that with our SSL tools or with OpenSSL:
openssl pkcs12 -export -out yourcert.pfx -inkey privkey.key -in server.crt -certfile ca-bundle.crt
Compatibility table
| Exchange version | Certificate method | Notes |
|---|---|---|
| Exchange SE (2025+) | EAC or PowerShell | Same steps as 2019 CU15+ |
| Exchange 2019 CU15+ | EAC or PowerShell | EAC import/export restored in CU15 |
| Exchange 2019 CU12 to CU14 | PowerShell | EAC import/export was removed |
| Exchange 2016 (CU23) | PowerShell | EAC import/export/complete removed; use the shell |
| Exchange 2013 | EAC or PowerShell | Full EAC certificate support |
| Exchange 2010 | Legacy methods (MMC + EMC) | Unsupported; GUI-based |
| Exchange 2007 / 2003 | Legacy methods | Unsupported; no longer secure |
The table reflects an important change. Microsoft removed the import and export certificate options from the EAC in Exchange 2016 and in Exchange 2019 CU12, then restored them in Exchange 2019 CU15 (KB5014278 also removed UNC-path inputs from several cmdlets at the same time). On versions where the EAC import option is missing, use the PowerShell method instead; it works everywhere.
Install an SSL certificate on Exchange 2016, 2019, and SE
You can install the certificate through the Exchange Admin Center (EAC) or the Exchange Management Shell (PowerShell). Pick the method that matches your version using the table above. Both finish the same way: import the certificate, then enable it for the services you run.
Method 1: Install via the EAC (Exchange Admin Center)
The EAC import option is available on Exchange 2013 and on Exchange 2019 CU15 or later. On Exchange 2016 (CU23) and Exchange 2019 CU12 to CU14, Microsoft removed the EAC certificate options (import, export, and complete request), so use the PowerShell method below instead. It works on every supported version.
Step 1: Open the EAC
- Sign in to the EAC and go to Servers > Certificates.
- In the Select server dropdown, choose the server where you want to install the certificate.
Step 2: Import the certificate
- Click More options (the three dots), then Import Exchange certificate.
- Enter the path to your .pfx file. The EAC requires a UNC path, for example \\FileServer01\Share\yourcert.pfx or \\ServerName\c$\Certs\yourcert.pfx, not a local drive letter.
- Enter the .pfx password, then click Next.
- Add the target server (or servers), then click Finish.
Step 3: Assign services
- Select the imported certificate and click Edit.
- Open the Services tab and select the services that should use the certificate:
- IIS, for Outlook on the web (OWA), the ECP, and Outlook connectivity.
- SMTP, for mail transport.
- POP and IMAP, only if you have enabled those client protocols.
- Click Save. If you are prompted to overwrite the default SMTP certificate, confirm only if you intend to replace it.
Method 2: Install via PowerShell (Exchange Management Shell)
This method works on every version from Exchange 2013 through Exchange SE, and it is the required method on Exchange 2016 and Exchange 2019 CU12 to CU14. Open the Exchange Management Shell as an administrator.
Step 1: Import the certificate
Point the shell at your .pfx file and supply its password. Because KB5014278 removed UNC-path parameters, this approach reads the file into memory with ReadAllBytes, which is the supported way on current builds:
$file = "C:\path\to\yourcert.pfx"
$pwd = Read-Host -AsSecureString "Enter the PFX password"
Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes($file)) -Password $pwd
The command imports the certificate and returns its thumbprint. Copy that value for the next step. To list installed certificates and their thumbprints at any time, run:
Get-ExchangeCertificate
Step 2: Assign services
Enable the certificate for the services you use, replacing <THUMBPRINT> with the value from Step 1:
Enable-ExchangeCertificate -Thumbprint <THUMBPRINT> -Services IIS,SMTP
If you also offer POP or IMAP to clients, include them in the same command:
Enable-ExchangeCertificate -Thumbprint <THUMBPRINT> -Services IIS,SMTP,POP,IMAP
When Exchange asks whether to overwrite the existing default SMTP certificate, answer Y only if you want this certificate to become the default for SMTP. After the services are assigned, restart IIS so OWA and the ECP pick up the new certificate:
IISReset
You have now installed and enabled the certificate. To confirm it is being served correctly, you can scan the host with our SSL Checker, or test the SMTP endpoint with OpenSSL from another machine:
openssl s_client -starttls smtp -connect mail.yourdomain.com:25 -servername mail.yourdomain.com
Install an SSL certificate on legacy Exchange versions
Legacy notice: Exchange 2010, 2007, and 2003 are out of support and no longer receive updates or security patches from Microsoft. The steps below are provided for archival reference, for teams maintaining old internal systems. Where possible, migrate to a supported release (Exchange 2019 CU15+ or Exchange SE) for current TLS compatibility and security.
How to install an SSL certificate on Exchange 2010
Installing a certificate on Exchange 2010 involves three actions: creating a certificates snap-in, installing the intermediate certificate, and completing the pending request for the primary certificate. Take it one step at a time.
Step 1: Create the certificate snap-in
- Click Start, open the Run window, type MMC (Microsoft Management Console), and press OK.
- In the console, go to File and select Add/Remove Snap-in.
- Choose Certificates and click Add.
- Select Computer account, then Next.
- Choose Local computer and press Finish.
- Click OK and close the Add/Remove Snap-in window.
Step 2: Install the intermediate certificate
- In the console’s left menu, right-click Intermediate Certification Authorities.
- Select All Tasks, then Import.
- In the Certificate Import Wizard, click Next.
- Click Browse to locate the intermediate certificate file, then click Next.
- Choose Place all certificates in the following store and select Intermediate Certification Authorities. Click OK.
- Click Next, then Finish, then OK, and close the MMC console.
Step 3: Install the primary certificate
- Click Start, then go to All Programs > Microsoft Exchange Server 2010 > Exchange Management Console.
- In the left menu, select Microsoft Exchange On-Premises > Server Configuration.
- Under Exchange Certificates, choose your primary certificate, then in the Actions menu click Complete Pending Request.
- Click Browse to point to your certificate file, press Open, then click Complete.
- Back in the console, in the Actions menu select Assign Services to Certificate.
- Pick the server, click Next, select the services you want to secure, click Next, then Assign and Finish.
If you see the error “The source data is corrupted or not properly Base64 encoded”, check the Self-Signed field of the request. If it shows True, press F5 to refresh the console. If it still shows True, generate a new CSR and reissue the certificate. That done, you have installed the certificate on Exchange 2010.
How to install an SSL certificate on Exchange 2007
Before you begin, save the certificate files from your CA to a folder on the server.
- Go to Start, click Run, type MMC, and click OK.
- In the console, click File > Add/Remove Snap-in.
- Select Certificates, then click Add.
- Select Computer account, click Next, select Local computer, and click Finish.
- Click OK to return to the console.
- Expand the Certificates folder, right-click Intermediate Certification Authorities, choose All Tasks > Import, and complete the wizard, placing the file in the Intermediate Certification Authorities store.
- Open Start > Microsoft Exchange Server 2007 > Exchange Management Shell.
Import the certificate, replacing the path with the full path and file name of your certificate:
Import-ExchangeCertificate -Path C:\your_certificate.crt
Then enable the certificate, pasting your thumbprint in place of the placeholder and listing the services you use (for example SMTP, POP, IMAP, UM, IIS):
Enable-ExchangeCertificate -Thumbprint paste_thumbprint_here -Services "SMTP,IMAP,IIS"
Close the Exchange Management Shell. The certificate is now installed on Exchange 2007.
How to install an SSL certificate on Exchange 2003
Step 1: Upload the certificates to your server
Open the archive from your SSL provider, extract the primary and intermediate certificates, save their contents with a text editor such as Notepad, and upload them to the server.
Step 2: Create a snap-in and install the intermediate certificate
- Go to Start > Run, type MMC, then click OK.
- Click File > Add/Remove Snap-in, then the Add tab.
- Choose Certificates and click Add.
- Select Computer account and click Next.
- Select Local computer and click Finish, then close the windows with OK.
Step 3: Continue the intermediate certificate installation
- In the MMC console, double-click the Intermediate Certification Authorities folder in the left pane.
- In the right pane, right-click Certificates, select All Tasks, then Import.
- In the Certificate Import Wizard, click Next, browse to your intermediate certificate file, and click Next.
- Choose Place all certificates in the following store and select Intermediate Certification Authorities. Click OK.
- Click Finish, then OK on the confirmation.
Step 4: Install the primary certificate in Exchange 2003
- Go to Start > Programs > Microsoft Exchange > System Manager.
- Expand Administrative Groups, then your administrative group (for example First Administrative Group). If administrative groups are hidden, right-click your organization, choose Properties, select Display administrative groups, click OK twice, then restart System Manager.
- Expand Servers, then the server you want to configure.
- Expand Protocols and the protocol you want to secure. For POP3, expand it, right-click Default POP3 Virtual Server, and click Properties.
- On the Access tab, click Certificate to start the Web Server Certificate Wizard.
- Select Process the pending request and install the certificate, then click Next.
- Point to your certificate file, review the summary, click Next, then Finish.
The certificate is now installed on the Exchange 2003 server.
Frequently Asked Questions
Order a new certificate from your CA, then install it on the Exchange server the same way you installed the previous one: import the .pfx (or complete the pending request), then run Enable-ExchangeCertificate to assign it to your services. On Exchange 2019 CU15+ and SE you can also renew through the EAC. After enabling the new certificate, restart IIS so OWA and the ECP use it.
SSL stands for Secure Sockets Layer, a now-deprecated protocol replaced by TLS (Transport Layer Security). An SSL/TLS certificate encrypts the connection between the Exchange server and its clients, whether that is Outlook, a browser using OWA, or another mail server over SMTP. The encryption stops attackers from intercepting credentials and message contents in transit.
Run the Get-ExchangeCertificate cmdlet in the Exchange Management Shell to list the certificates installed on the server, along with their thumbprints, assigned services, and expiry dates:Get-ExchangeCertificate | Format-List Thumbprint,Services,NotAfter,Subject
It depends on the build. Microsoft removed the import and export certificate options from the EAC in Exchange 2016 and in Exchange 2019 CU12, then restored them in Exchange 2019 CU15. On Exchange 2013 and on Exchange 2019 CU15 or later, you can import in the EAC. On Exchange 2016 and Exchange 2019 CU12 to CU14, use the PowerShell method instead; it works on every supported version.
At a minimum, assign IIS (for OWA, the ECP, and Outlook connectivity) and SMTP (for mail transport). Add POP and IMAP only if you have enabled those client protocols. When assigning SMTP, Exchange may ask whether to replace the existing default SMTP certificate; confirm only if you intend this certificate to become the default.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

