Install certificate in Exchange 2007

 I recently had to renew my Exchange certificate as it expired. The original admin that set up this Exchange bought the previous certificate from Digi. I decided to go with Startcom (Free SSL) as I have used them once before in an OCS deployment and they worked out well. Exchange is a little different in that you must use Exchange management shell (PowerShell) during the process of installing a certificate for Outlook Web Access (OWA). I am going to cover 5 steps to installing a certificate Exchange for OWA.

 To Open Exchange Management Shell: Go to START >>Programs>>Microsoft Exchange Server 2007 >> Exchange Management Shell


This is the management shell


Step1 – Generate Certificate Request in Powershell:

New-ExchangeCertificate -GenerateRequest -Path c:\myReq.csr -KeySize 1024 -SubjectName “c=GB, s=Middx, l=MyCompany, ou=IT,” -PrivateKeyExportable $True

Output should look like this:  


Step2 – Get the certificate request approved by a Certificate Authority:

You will see the generated certificate request looks like this inside if you were to open it in notepad.


The Certificate Authority you have chosen will have you paste or upload this text or file to them and they will sign it. I recommend using Startcom ( as your certificate authority. They offer free and low cost certificates. They will give you a certificate that looks similar to above if you were to open it in notepad. You need to save the certificate the CA gives you on your server and be sure it ends with .cer.

Step3 – Import Cert through Exchange management shell or MMC certificate snap-in:

Now you need to import that .cer file in that you received from your Certificate Authority. Here is the syntax for doing this in Exchange Management shell.

Import-ExchangeCertificate -path e:\certificates\mail_domain_com.cer –FriendlyName “”

You can also import this into your certificate store on the server using the traditional way. Go to start>>run>>type in mmc>>hit enter then click on file>>add or remove snap-ins>> select certificates


Once you click add the next window will appear


Click next and choose local computer account


Click finish then click ok. You will then need to expand Certificates>>Personal>>Certificates this is where you want to import the certificate you just received from your CA.


Once it is here Exchange management shell will see it with no problem. You can use Exchange management shell to import it or through MMC. In my opinion Exchange management shell is a faster way to import the certificate in.

Step4 – Ensure Exchange can see the newly imported certificate:

You can run the following command in Exchange management console to see what certificates it picks up.


The output should look like the picture below. Take note of the thumbprint on the certificate you are going to use.


You can also output this data to a file using this command:

Get-ExchangeCertificate | fl | out-file –filePath c:\certificate_store.txt

This will put a file on your C: drive named certificate_store. You can open this file in notepad to reference the thumbprint of the certificates that are installed. You will need this thumbprint in the next step when enabling it for OWA or later if you need to remove the certificate.  Command for removing a certificate using Exchange management shell:

Remove-ExchangeCertificate –thumbprint

Step5 – Enable it for OWA:

Ok you have generated a certificate request, got it approved by a CA, imported it into your certificates store on the Exchange server, and verified Exchange sees it in the store. Now you need to enable the certificate for OWA. This will tell Exchange to use this particular certificate for your OWA site. It has also been my experience that this works for ActiveSync, and Outlook Anywhere so you do not have to enable it separately for these services. The command to enable it for OWA is:

Enable-ExchangeCertificate -Thumbprint TYPETHUMBPRINTHERE -Services IIS

Test your OWA access and other Exchange services:

Your certificate install is complete you can now test your OWA, Outlook Anywhere, ActiveSync and more. Use Microsoft’s Exchange Connectivity website to test these:

Print Friendly, PDF & Email

Leave a Comment