Applies to: Exchange Server 2013

This cmdlet is available only in on-premises Exchange.

Use the Enable-ExchangeCertificate cmdlet to enable an existing certificate in the local certificate store for Exchange services such as Internet Information Services (IIS), SMTP, POP, IMAP, and Unified Messaging (UM).

There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration.
Don't use the Enable-ExchangeCertificate cmdlet to enable a wildcard certificate for POP and IMAP services. To enable a wildcard certificate, you must use the Set-ImapSettings or Set-PopSettings cmdlets with the fully qualified domain name (FQDN) of the service.
Don't use the Enable-ExchangeCertificate cmdlet to enable a certificate for federation. Certificates used for federation trusts are managed by using the New-FederationTrust and Set-FederationTrust cmdlets.

For information about the parameter sets in the Syntax section below, see Syntax.

Enable-ExchangeCertificate -Thumbprint <String> [-Server <ServerIdParameter>] <COMMON PARAMETERS>
Enable-ExchangeCertificate [-Identity <ExchangeCertificateIdParameter>] <COMMON PARAMETERS>
COMMON PARAMETERS: -Services <None | IMAP | POP | UM | IIS | SMTP | Federation | UMCallRouter> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-DoNotRequireSsl <SwitchParameter>] [-Force <SwitchParameter>] [-NetworkServiceAllowed <SwitchParameter>] [-WhatIf [<SwitchParameter>]]

This example enables a certificate for POP, IMAP, SMTP, and IIS services.

Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services POP,IMAP,SMTP,IIS

The Enable-ExchangeCertificate cmdlet enables certificates by updating the metadata stored with the certificate. To enable an existing certificate to work with additional Exchange services, use the Enable-ExchangeCertificate cmdlet and specify the additional services.

The Enable-ExchangeCertificate cmdlet is additive. When you specify a subset of services for which a certificate is enabled, the services that aren't specified aren't removed from the Services property. If you don't want to use an existing enabled certificate for Exchange services, you must enable another certificate, and then remove the certificate you don't want to use.

Different services have different certificate requirements. For example, some services may only require a server name in the Subject Name or Subject Alternative Name fields of a certificate, whereas other services may require an FQDN. Make sure that the certificate name can support the uses required by the services you enable it for.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Certificate management" entry in the Exchange and Shell infrastructure permissions topic.


Parameter Required Type Description




The Services parameter specifies the services that use the certificate. Valid entries include one or more of the following:

  • IIS

  • IMAP

  • POP

  • SMTP

  • UM

  • UMCallRouter

  • Federation

  • None

To enable a certificate for multiple services, separate each value with a comma, for example:

-Services IMAP,POP,IIS

You can't use the Enable-ExchangeCertificate cmdlet to enable a certificate for federation. Creating or modifying a federation trust enables or modifies how certificates are used for federation.




The Thumbprint parameter specifies the certificate that you're enabling. Each certificate contains a thumbprint, which is the digest of the certificate data. To view the thumbprint of a certificate, use the Get-ExchangeCertificate cmdlet.




The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.




The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory.

The DomainController parameter isn't supported on Edge Transport servers. An Edge Transport server uses the local instance of Active Directory Lightweight Directory Services (AD LDS) to read and write data.




The DoNotRequireSsl switch specifies whether to leave IIS settings unchanged when IIS is one of the enabled services. If IIS is one of the enabled services, the cmdlet changes the default website settings to require SSL. Set the DoNotRequireSsl switch to $true to override this behavior and leave IIS settings unchanged.




The Force switch specifies whether to override the confirmation prompt and set the new certificate as the default certificate for TLS for internal SMTP communication. By default, when you enable a certificate for SMTP, the command prompts for confirmation.




The Identity parameter specifies the certificate ID.




The NetworkServiceAllowed switch specifies that the Network Service be allowed permissions to access the certificate specified, without enabling the certificate for SMTP.




The Server parameter specifies the server name on which you want to enable the certificate.




The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.