How to export/import certificates on Exchange 2013 Shell

The same certificate can be used on different Exchange servers by using the export/import process. After installing the certificate on the server from which the certificate request was initially generated, use the Shell command lines to export the installed certificate from one server and import it to another one.


You may export the certificate from the Exchange server using the certificate’s domain name or its thumbprint.

1) Using Domain name:

Get-ExchangeCertificate -DomainName “” | Export-ExchangeCertificate
-BinaryEncoded:$true -Password (Get-Credential).password


After clicking Enter, you will be prompted to enter your username and password. You can type anything for the username as this field does not matter here. However, you should remember the password since you will need it to import or convert the certificate into other formats. If this password is lost or forgotten, it cannot be recovered. In this case, you would need to export the certificate again to a new file with new credentials.

2) Using Thumbprint:

Export-ExchangeCertificate -ThumbPrint -BinaryEncoded:$true -Password (Get-Credential).password


The certificate thumbprint can be obtained in several different ways. For example, if you have installed the certificate on any server you can access from your Shell, you have already used the thumbprint during the certificate installation process.

Otherwise, you can open the file with the certificate text by cutting and pasting the text in this decoder and looking for the “SHA1 Fingerprint” field. If you use your certificate’s .crt file which has the -----BEGIN CERTIFICATE----- header, the output will show the “SHA1 Fingerprint”. If you decode the .p7b or .cer file, the tool will show a message that the certificate is in PKCS#7 format and display the PEM text of the certificate with Begin and End headers on the page. You will need to decode the PEM text once again to see the thumbprint/SHA1 fingerprint, which are the same.

Once you have entered the password which encrypts the certificate, you need to specify the path to the file where the exported certificate should be saved:

Set-Content -Path “c:\file_name.pfx” -Value $file.FileData -Encoding Byte



Before importing, the certificate .pfx file should be saved on your computer. You can also import the certificate if it was created on another machine as long as you have saved it in the .pfx format and have the correct password.

Use the following command:

Import-ExchangeCertificate -FileData ([byte[]](Get-Content -Path path/to/certificate.pfx -Encoding Byte -ReadCount 0)) -Password (Get-Credential).password -Server

The “-Server ” section helps import the certificate to a particular server if you have several of them on one machine. In our example, this part is omitted since only one server was enabled initially.


The system asks for the username and password. You can enter any value in the username field as it is not relevant here. However, the password should match the one used for creating the .pfx file (during the certificate export or conversion).

If the password matches, the certificate will be imported onto the server. The Shell displays its thumbprint and details.


To assign the certificate to the Exchange services, use this guide.

22460 times

Need help? We're always here for you.