Import or install a certificate on an Exchange 2016 server
Applies to: Exchange Server 2016
Learn how to import (install) a certificate on an Exchange 2016 server.
To enable encryption for one or more Exchange services, the Exchange server needs to use a certificate. SMTP communication between internal Exchange servers is encrypted by the default self-signed certificate that’s installed on the Exchange server. To encrypt communication with internal or external clients, servers, or services, you’ll likely want to use a certificate that’s automatically trusted by all clients, services and servers that connect to your Exchange organization. For more information, see Certificate requirements for Exchange services .
You can import (install) certificates on Exchange servers in the Exchange admin center (EAC) or in the Exchange Management Shell.
These are the types of certificate files that you can import on an Exchange server:
PKCS #12 certificate files These are binary certificate files that have .cer. crt. der. p12, or .pfx filename extensions, and require a password when the file contains the private key or chain of trust. Examples of these types of files include:
Self-signed certificates that were exported from other Exchange servers by using the EAC or the Export-ExchangeCertificate with the PrivateKeyExportable parameter value $true. For more information, see Export a certificate from an Exchange server .
Certificates that were issued by a certification authority (an internal CA like Active Directory Certificate Services, or a commercial CA).
Certificates that were exported from other servers (for example, Skype for Business Server).
PKCS #7 certificate files These are text certificate files that have .p7b or .p7c filename extensions. These files contain the text: —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– or —–BEGIN PKCS7—– and —–END PKCS7—–. A certificate authority might include a chain of certificates file that also needs to be installed along with the actual binary certificate file.
Estimated time to complete: 5 minutes.
In the EAC, you need to import the certificate file from a UNC path ( \\ Server \ Share \ or \\ LocalServerName \c$\ ). In the Exchange Management Shell, you can specify a local path.
In the EAC, you can import the certificate file on multiple Exchange servers at the same time (Step 4 in the procedure).
To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell .
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the “Client Access services security” entry in the Clients and mobile devices permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center .
Open the EAC and navigate to Servers Certificates .
In the Select server list, select the Exchange server where you want to install the certificate, click More options , and select Import Exchange certificate .
The Import Exchange certificate wizard opens. On the This wizard will import a certificate from a file page, enter the following information:
File to import from Enter the UNC path and filename of the certificate file. For example, \\FileServer01\Data\Fabrikam.cer
Password If the certificate file contains the private key or chain of trust, the file is protected by a password. Enter the password here.
When you are finished, click Next .
In the Specify the servers you want to apply this certificate to page, click Add
On the Select a server page that opens, select the Exchange server where you want to install the certificate, and click Add – . Repeat this step as many times as necessary. When you are finished selecting servers, click OK .
When you are finished, click Finish. For next steps, see the Next steps section.