The Enable-ExchangeCertificate cmdlet enables certificates when it updates the metadata that is stored with the certificate. To enable an existing certificate to work with different services, run the Enable-ExchangeCertificate command and specify the services that you want to enable. You can rerun this cmdlet if you want to add new services that use the certificate.
Remember that different services have different metadata requirements on a given certificate. In addition, the Enable-ExchangeCertificate cmdlet is only additive. That means that you can't disable or remove specific services from the certificate by using the Enable-ExchangeCertificate command.
For example, some services may only require a server name in the certificate, whereas other services may require a fully qualified domain name (FQDN). Make sure that the certificate name can support the uses required by the services you enable it for.
When you enable a certificate for the Simple Mail Transfer Protocol (SMTP) service and the certificate contains a FQDN that matches the FQDN of the local computer, the certificate may be published to the Active Directory directory service.
To disable a certificate without removing or deleting the certificate, set the Services parameter to None. Setting the Services parameter to None does not remove any service metadata from the certificate.
To run the Enable-ExchangeCertificate cmdlet, the account you use must be delegated the following:
-
Exchange Server Administrator role and local Administrators group for the target server
To run the Enable-ExchangeCertificate cmdlet on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.