Step-by-Step Process for Installing a New Exchange Server Certificate Using PowerShell

In Exchange 2016 CU23 and Exchange 2019 CU12, the ability to create and manage certificates via the GUI has been deprecated per this article: Deprecation of Certificate Tools in Exchange Admin Center GUI – IT Blog ( So, I wanted to show everyone how to now use PowerShell to do the Exchange Certificate Management as it is handled differently than regular PKI cmdlets and tools are used.

First installment is to do this for a New Certificate for your Exchange Server and NOT a renewal

Generate your CSR

Follow your protocols for setting up your Subject Alternative Name Certificate Domains. I use my UCC SAN Certificate with ADFS as well as Exchange so I have a total of 5 domains listed on my Certificate: <– Common Name <– SAN for ADFS Services <– SAN for Exchange Security Protocol <–SAN for Exchange AutoDiscover <– SAN For Outlook on the Web

You want to have your Identifiers set for your certificate as well:
C= (Country)
S= (State)
L= (Location)
O= (Organization Name)
OU= (Department Name or Type of Business)

Make sure it is SHA2 / AES256 with 2048 bit Encryption.
Have a file folder where to store the request.

This must be done on your Exchange Server running Exchange Management Shell as it will create the private key pair to encrypt your certificate:

That should create a CSR file that you will use to upload or copy/paste to according to your Certificate Provider. It will look something like the following:

REQ File

Complete The CSR Request

Once you have validated your certificate and downloaded from your provider, you will unzip the certificates and place your .crt file in a directory on the same exchange server you generated the request from. I saved mine to the c:\root\ directory.

Next run the following cmdlet to Import the Exchange Certificate and complete the CSR request that you Generated:

If there are no errors, then you should see the certificate with the new thumbprint in the Exchange Certificate List as well as in the Personal Certificate Store of the Certificates MMC Snap-In:

Enable Exchange Services to the Certificate

Next, we need to Enable the certificate to be used for all the services in Exchange. That is done with the following cmdlet:

NOTE: Choose Yes to overwrite the existing Default SMTP Certificate and validate the new thumbprint will replace it. Since this is a new installation, this is the proper method.

Enable-Exchange Certificate

Export the PFX Certificate

Once that is completed, we will need to export the working certificate to use for our other Exchange Servers so that the Exchange services on those servers use the same certificate. To do this properly, we need to export the certificate as a .pfx (PKCS #12 Personal File Exchange) Certificate. This was why making the Private Key Exportable in the CSR was so important. You need to extract the key pair when exporting the certificate so that you can properly use it on the other Exchange Servers.

The process has TWO lines of commands to export. Remember to choose a directory to save the .pfx to and choose a password that you will remember as you will need it to import on the other servers. The procedure to export our working certificate is as follows:

Import the PFX to the other Exchange Servers and Install

Copy the file to the other Exchange Server and run the import procedure. Remember to set the path to the .pfx file, set the Exchange Server you are installing on, and MAKE THE PRIVATE KEY EXPORTABLE, just in case you lose the .pfx file. See example:

Enable the Exchange Services for the imported certificate the same way as above.

You should then be good to go for that Exchange Server!


Get E-Mail Updates
I agree to have my personal information transfered to MailChimp ( more information )
Want to know when I post new content? Sign up here to get an email when I do post!
I despise spam. Your email address will not be sold or shared with anyone else.