bg-tutorials

How to Install an SSL Certificate on Exchange

In this guide, you will learn how to install an SSL/TLS certificate on Microsoft Exchange Server. We cover the modern method for Exchange 2016, 2019, and the new Exchange Server Subscription Edition (SE), plus archival steps for legacy versions.

Exchange spans many releases, and the certificate workflow differs between them, so check your Exchange version and cumulative update (CU) before you begin. If you have already generated your CSR and received the issued certificate, skip ahead to Install an SSL certificate on Exchange.

How to generate a CSR code in Microsoft Exchange

Before you can install a certificate, you need to obtain one from a trusted CA (Certificate Authority), and that starts with a CSR (Certificate Signing Request). A CSR is a block of encoded text that holds your contact and organization details. You have two options:

Once the Certificate Authority validates your request and issues the certificate, you can install it on your Exchange server using the steps below.

Pre-installation requirements

This guide covers all supported Exchange versions, including legacy setups, CU-specific differences, and the Exchange Server Subscription Edition (SE) that Microsoft released in 2025. Before you start, gather the following.

What you’ll need

  • A .pfx (PKCS#12) file that contains your SSL certificate, its private key, and the full certificate chain (intermediate and root).
  • The password you set on that .pfx file.
  • Administrative access to the Exchange server and, for the shell method, the Exchange Management Shell.

If you generated the CSR on the Exchange server itself, the private key already lives there as a pending request, and the CA usually returns a .cer or .crt file that you complete against that request (see the legacy 2010 steps for the “Complete pending request” flow). If instead you hold separate .crt, .cer, or .pem files plus the key, combine them into a single .pfx first. You can do that with our SSL tools or with OpenSSL:

openssl pkcs12 -export -out yourcert.pfx -inkey privkey.key -in server.crt -certfile ca-bundle.crt

Compatibility table

Exchange versionCertificate methodNotes
Exchange SE (2025+)EAC or PowerShellSame steps as 2019 CU15+
Exchange 2019 CU15+EAC or PowerShellEAC import/export restored in CU15
Exchange 2019 CU12 to CU14PowerShellEAC import/export was removed
Exchange 2016 (CU23)PowerShellEAC import/export/complete removed; use the shell
Exchange 2013EAC or PowerShellFull EAC certificate support
Exchange 2010Legacy methods (MMC + EMC)Unsupported; GUI-based
Exchange 2007 / 2003Legacy methodsUnsupported; no longer secure

The table reflects an important change. Microsoft removed the import and export certificate options from the EAC in Exchange 2016 and in Exchange 2019 CU12, then restored them in Exchange 2019 CU15 (KB5014278 also removed UNC-path inputs from several cmdlets at the same time). On versions where the EAC import option is missing, use the PowerShell method instead; it works everywhere.

Install an SSL certificate on Exchange 2016, 2019, and SE

You can install the certificate through the Exchange Admin Center (EAC) or the Exchange Management Shell (PowerShell). Pick the method that matches your version using the table above. Both finish the same way: import the certificate, then enable it for the services you run.

Method 1: Install via the EAC (Exchange Admin Center)

The EAC import option is available on Exchange 2013 and on Exchange 2019 CU15 or later. On Exchange 2016 (CU23) and Exchange 2019 CU12 to CU14, Microsoft removed the EAC certificate options (import, export, and complete request), so use the PowerShell method below instead. It works on every supported version.

Step 1: Open the EAC

  • Sign in to the EAC and go to Servers > Certificates.
  • In the Select server dropdown, choose the server where you want to install the certificate.

Step 2: Import the certificate

  • Click More options (the three dots), then Import Exchange certificate.
  • Enter the path to your .pfx file. The EAC requires a UNC path, for example \\FileServer01\Share\yourcert.pfx or \\ServerName\c$\Certs\yourcert.pfx, not a local drive letter.
  • Enter the .pfx password, then click Next.
  • Add the target server (or servers), then click Finish.

Step 3: Assign services

  • Select the imported certificate and click Edit.
  • Open the Services tab and select the services that should use the certificate:
  • IIS, for Outlook on the web (OWA), the ECP, and Outlook connectivity.
  • SMTP, for mail transport.
  • POP and IMAP, only if you have enabled those client protocols.
  • Click Save. If you are prompted to overwrite the default SMTP certificate, confirm only if you intend to replace it.

Method 2: Install via PowerShell (Exchange Management Shell)

This method works on every version from Exchange 2013 through Exchange SE, and it is the required method on Exchange 2016 and Exchange 2019 CU12 to CU14. Open the Exchange Management Shell as an administrator.

Step 1: Import the certificate

Point the shell at your .pfx file and supply its password. Because KB5014278 removed UNC-path parameters, this approach reads the file into memory with ReadAllBytes, which is the supported way on current builds:

$file = "C:\path\to\yourcert.pfx"
$pwd  = Read-Host -AsSecureString "Enter the PFX password"
Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes($file)) -Password $pwd

The command imports the certificate and returns its thumbprint. Copy that value for the next step. To list installed certificates and their thumbprints at any time, run:

Get-ExchangeCertificate

Step 2: Assign services

Enable the certificate for the services you use, replacing <THUMBPRINT> with the value from Step 1:

Enable-ExchangeCertificate -Thumbprint <THUMBPRINT> -Services IIS,SMTP

If you also offer POP or IMAP to clients, include them in the same command:

Enable-ExchangeCertificate -Thumbprint <THUMBPRINT> -Services IIS,SMTP,POP,IMAP

When Exchange asks whether to overwrite the existing default SMTP certificate, answer Y only if you want this certificate to become the default for SMTP. After the services are assigned, restart IIS so OWA and the ECP pick up the new certificate:

IISReset

You have now installed and enabled the certificate. To confirm it is being served correctly, you can scan the host with our SSL Checker, or test the SMTP endpoint with OpenSSL from another machine:

openssl s_client -starttls smtp -connect mail.yourdomain.com:25 -servername mail.yourdomain.com

Install an SSL certificate on legacy Exchange versions

Legacy notice: Exchange 2010, 2007, and 2003 are out of support and no longer receive updates or security patches from Microsoft. The steps below are provided for archival reference, for teams maintaining old internal systems. Where possible, migrate to a supported release (Exchange 2019 CU15+ or Exchange SE) for current TLS compatibility and security.

How to install an SSL certificate on Exchange 2010

Installing a certificate on Exchange 2010 involves three actions: creating a certificates snap-in, installing the intermediate certificate, and completing the pending request for the primary certificate. Take it one step at a time.

Step 1: Create the certificate snap-in

  • Click Start, open the Run window, type MMC (Microsoft Management Console), and press OK.
  • In the console, go to File and select Add/Remove Snap-in.
  • Choose Certificates and click Add.
  • Select Computer account, then Next.
  • Choose Local computer and press Finish.
  • Click OK and close the Add/Remove Snap-in window.

Step 2: Install the intermediate certificate

  • In the console’s left menu, right-click Intermediate Certification Authorities.
  • Select All Tasks, then Import.
  • In the Certificate Import Wizard, click Next.
  • Click Browse to locate the intermediate certificate file, then click Next.
  • Choose Place all certificates in the following store and select Intermediate Certification Authorities. Click OK.
  • Click Next, then Finish, then OK, and close the MMC console.

Step 3: Install the primary certificate

  • Click Start, then go to All Programs > Microsoft Exchange Server 2010 > Exchange Management Console.
  • In the left menu, select Microsoft Exchange On-Premises > Server Configuration.
  • Under Exchange Certificates, choose your primary certificate, then in the Actions menu click Complete Pending Request.
  • Click Browse to point to your certificate file, press Open, then click Complete.
  • Back in the console, in the Actions menu select Assign Services to Certificate.
  • Pick the server, click Next, select the services you want to secure, click Next, then Assign and Finish.

If you see the error “The source data is corrupted or not properly Base64 encoded”, check the Self-Signed field of the request. If it shows True, press F5 to refresh the console. If it still shows True, generate a new CSR and reissue the certificate. That done, you have installed the certificate on Exchange 2010.

How to install an SSL certificate on Exchange 2007

Before you begin, save the certificate files from your CA to a folder on the server.

  • Go to Start, click Run, type MMC, and click OK.
  • In the console, click File > Add/Remove Snap-in.
  • Select Certificates, then click Add.
  • Select Computer account, click Next, select Local computer, and click Finish.
  • Click OK to return to the console.
  • Expand the Certificates folder, right-click Intermediate Certification Authorities, choose All Tasks > Import, and complete the wizard, placing the file in the Intermediate Certification Authorities store.
  • Open Start > Microsoft Exchange Server 2007 > Exchange Management Shell.

Import the certificate, replacing the path with the full path and file name of your certificate:

Import-ExchangeCertificate -Path C:\your_certificate.crt

Then enable the certificate, pasting your thumbprint in place of the placeholder and listing the services you use (for example SMTP, POP, IMAP, UM, IIS):

Enable-ExchangeCertificate -Thumbprint paste_thumbprint_here -Services "SMTP,IMAP,IIS"

Close the Exchange Management Shell. The certificate is now installed on Exchange 2007.

How to install an SSL certificate on Exchange 2003

Step 1: Upload the certificates to your server

Open the archive from your SSL provider, extract the primary and intermediate certificates, save their contents with a text editor such as Notepad, and upload them to the server.

Step 2: Create a snap-in and install the intermediate certificate

  • Go to Start > Run, type MMC, then click OK.
  • Click File > Add/Remove Snap-in, then the Add tab.
  • Choose Certificates and click Add.
  • Select Computer account and click Next.
  • Select Local computer and click Finish, then close the windows with OK.

Step 3: Continue the intermediate certificate installation

  • In the MMC console, double-click the Intermediate Certification Authorities folder in the left pane.
  • In the right pane, right-click Certificates, select All Tasks, then Import.
  • In the Certificate Import Wizard, click Next, browse to your intermediate certificate file, and click Next.
  • Choose Place all certificates in the following store and select Intermediate Certification Authorities. Click OK.
  • Click Finish, then OK on the confirmation.

Step 4: Install the primary certificate in Exchange 2003

  • Go to Start > Programs > Microsoft Exchange > System Manager.
  • Expand Administrative Groups, then your administrative group (for example First Administrative Group). If administrative groups are hidden, right-click your organization, choose Properties, select Display administrative groups, click OK twice, then restart System Manager.
  • Expand Servers, then the server you want to configure.
  • Expand Protocols and the protocol you want to secure. For POP3, expand it, right-click Default POP3 Virtual Server, and click Properties.
  • On the Access tab, click Certificate to start the Web Server Certificate Wizard.
  • Select Process the pending request and install the certificate, then click Next.
  • Point to your certificate file, review the summary, click Next, then Finish.

The certificate is now installed on the Exchange 2003 server.

Frequently Asked Questions

How do I update or renew an SSL certificate in Exchange?

Order a new certificate from your CA, then install it on the Exchange server the same way you installed the previous one: import the .pfx (or complete the pending request), then run Enable-ExchangeCertificate to assign it to your services. On Exchange 2019 CU15+ and SE you can also renew through the EAC. After enabling the new certificate, restart IIS so OWA and the ECP use it.

What is SSL in Exchange?

SSL stands for Secure Sockets Layer, a now-deprecated protocol replaced by TLS (Transport Layer Security). An SSL/TLS certificate encrypts the connection between the Exchange server and its clients, whether that is Outlook, a browser using OWA, or another mail server over SMTP. The encryption stops attackers from intercepting credentials and message contents in transit.

How do I find my Exchange SSL certificate?

Run the Get-ExchangeCertificate cmdlet in the Exchange Management Shell to list the certificates installed on the server, along with their thumbprints, assigned services, and expiry dates:
Get-ExchangeCertificate | Format-List Thumbprint,Services,NotAfter,Subject

Can I install the certificate through the EAC on Exchange 2016 or 2019?

It depends on the build. Microsoft removed the import and export certificate options from the EAC in Exchange 2016 and in Exchange 2019 CU12, then restored them in Exchange 2019 CU15. On Exchange 2013 and on Exchange 2019 CU15 or later, you can import in the EAC. On Exchange 2016 and Exchange 2019 CU12 to CU14, use the PowerShell method instead; it works on every supported version.

Which services should I assign the certificate to?

At a minimum, assign IIS (for OWA, the ECP, and Outlook connectivity) and SMTP (for mail transport). Add POP and IMAP only if you have enabled those client protocols. When assigning SMTP, Exchange may ask whether to replace the existing default SMTP certificate; confirm only if you intend this certificate to become the default.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.