Installing an SSL certificate in Exchange 2013 Shell

Previously, we created the CSR in Exchange Management Shell and used it to activate the certificate. After the certificate is issued, you can download the files in your Namecheap account.

The file used for Windows is .p7b. Exchange requires the .cer file, and you can simply rename your .p7b file to .cer as far as they belong to the same certificate format.

The files should be saved on your computer for installation.

To install the certificate, open Exchange Shell and type the following command:

Import-ExchangeCertificate –FileData ([byte []]$(Get-Content –Path “path_to_certificate.cer” –Encoding Byte –ReadCount 0))

If everything is entered correctly, the system will display the Thumbprint of the certificate and its details (common name, organizational unit, etc.).

In our example, the certificate file was saved on the disc C://, folder “certs”.


In the next step, it is necessary to assign the certificate to the Exchange services. The command is as follows:

Get-ExchangeCertificate –ThumbPrint | Enable-ExchangeCertificate –Services IIS,SMTP,IMAP,POP

The thumbprint used here is the sequence of digits displayed by the system in the previous step. You can also find the thumbprint by decoding your certificate, which can be done in one of two ways:

  1. Use the .crt file from the zip folder you have downloaded from your account. Go to this decoder, paste the content of the .crt file in and look for the “SHA1 Fingerprint” field. Note: you would need to delete the colons (:) from the fingerprint before using it in your Shell.
  2. Use the .p7b file from the zip folder. The decoder will show a message that the certificate is in PKCS#7 format and display the PEM certificate on the page. You will need to copy and decode the PEM certificate with the -----BEGIN CERTIFICATE----- header and use the digits from the “SHA1 Fingerprint” field.

After you type the command and click Enter, the system will ask if the current installed certificate should be overwritten. This happens if it is the first trusted certificate which will overwrite the default self-signed certificate, or if you have reissued/renewed your certificate. Confirm that the certificate should be overwritten.


The certificate is now installed on the server and assigned to the necessary services. To confirm that it has installed correctly, connect to your server in the browser using the URL of your domain and check the certificate details.

39144 times

Need help? We're always here for you.