Assign certificates to Exchange 2016 services

[Dieses Thema gehört zur Vorabdokumentation und kann in künftigen Versionen geändert werden. Leere Themen wurden als Platzhalter hinzugefügt. Wenn Sie Feedback dazu haben, freuen wir uns über Ihre Nachricht. Senden Sie uns eine E-Mail an: ExchangeHelpFeedback@microsoft.com.]  

Gilt für:Exchange Server 2016

Learn how to assign certificates to Exchange services in Exchange 2016.

After you install a certificate on an Exchange Server 2016 server, you need to assign the certificate to one or more Exchange services before the Exchange server is able to use the certificate for encryption. You can assign certificates to services in the Exchange-Verwaltungskonsole (EAC) or in the Exchange-Verwaltungsshell. Once you assign a certificate to a service, you can't remove the assignment. If you no longer want to use a certificate for a specific service, you need to assign another certificate to the service, and then remove the certificate that you don't want to use.

The available Exchange services are described in the following table.

 

Service Uses

IIS

TLS encryption for internal and external client connections that use HTTP. This includes:

  • Autodiscover

  • Exchange ActiveSync

  • Exchange-Verwaltungskonsole

  • Exchange-Webdienste

  • Offline address book (OAB) distribution

  • Outlook Anywhere (RPC over HTTP)

  • Outlook MAPI over HTTP

  • Outlook im Web

IMAP

TLS encryption for IMAP4 client connections.

Don't assign a wildcard certificate to the IMAP4 service. Instead, use the Set-ImapSettings cmdlet to configure the fully qualified domain name (FQDN) that clients use to connect to the IMAP4 service.

POP

TLS encryption for POP3 client connections.

Don't assign a wildcard certificate to the POP3 service. Instead, use the Set-PopSettings cmdlet to configure the FQDN that clients use to connect to the POP3 service.

SMTP

TLS encryption for external SMTP client and server connections.

Mutual TLS authentication between Exchange and other messaging servers.

When you assign a certificate to SMTP, you are prompted to replace the default Exchange self-signed certificate that's used to encrypt SMTP communication between internal Exchange servers. Typically, you don't need to replace the default SMTP certificate.

Unified Messaging (UM)

TLS encryption for client connections to the backend UM service on Mailbox servers.

You can only assign a certificate to the UM service when the UM startup mode property of the service is set to TLS or Dual. If the UM startup mode is set to the default value TCP, you can't assign the certificate to the UM service. For more information, see Konfigurieren des Startmodus auf einem Postfachserver.

Unified Messaging Call Router (UMCallRouter)

TLS encryption for client connections to the UM Call Router service in the Client Access services on Mailbox servers.

You can only assign a certificate to the UM Call Router service when the UM startup mode property of the service is set to TLS or Dual. If the UM startup mode is set to the default value TCP, you can't assign the certificate to the UM Call Router service. For more information, see Konfigurieren des Startmodus auf einem Clientzugriffsserver.

  • Estimated time to complete: 5 minutes.

  • If you renew or replace a certificate that was issued by a CA on a subscribed Edge Transport server, you need to remove the old certificate, and then delete and recreate the Edge Subscription. For more information, see Edge-Abonnementprozess.

  • Informationen über das Öffnen der Exchange-Verwaltungsshell in Ihrer lokalen Exchange-Organisation finden Sie unter Öffnen der Exchange-Verwaltungsshell.

  • Bevor Sie diese Verfahren ausführen können, müssen Ihnen die entsprechenden Berechtigungen zugewiesen werden. Informationen zu den von Ihnen benötigten Berechtigungen finden Sie unter "Client Access services security" entry in the Berechtigungen für Clients und mobile Geräte topic.

  • Informationen zu Tastenkombinationen für die Verfahren in diesem Thema finden Sie unter Tastenkombinationen in der Exchange-Verwaltungskonsole.

tipTipp:
Sie haben Probleme? Bitten Sie in den Exchange-Foren um Hilfe. Sie finden die Foren unter folgenden Links: Exchange Server, Exchange Online oder Exchange Online Protection.

  1. Open the EAC, and navigate to Servers > Certificates.

  2. In the Select server list, select the Exchange server that holds the certificate.

  3. Select the certificate that you want to configure, and then click Edit Bearbeitungssymbol. The certificate needs to have the Status value Valid.

  4. On the Services tab, in the Specify the services you want to assign this certificate to section, select the services. Remember, you can add services, but you can't remove them. When you are finished, click Save.

To assign a certificate to Exchange services, use the following syntax:

Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services <Service1>,<Service2>... [-Server <ServerIdentity>]

This example assigns the certificate that has the thumbprint value 434AC224C8459924B26521298CE8834C514856AB to the POP, IMAP, IIS, and SMTP services.

Enable-ExchangeCertificate -Thumbprint 434AC224C8459924B26521298CE8834C514856AB -Services POP,IMAP,IIS,SMTP

You can find the certificate thumbprint value by using the Get-ExchangeCertificate cmdlet.

To verify that you have successfully assigned a certificate to one or more Exchange services, use either of the following procedures:

  • In the EAC at Servers > Certificates, verify the server where you installed the certificate is selected. Select the certificate, and in the details pane, verify that the Assigned to services property contains the services that you selected.

  • In the Exchange-Verwaltungsshell on the server where you installed the certificate, run the following command to verify the Exchange services for the certificate:

    Get-ExchangeCertificate | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,Services
    
 
Anzeigen: