Applies to: Exchange Server 2013

This cmdlet is available only in on-premises Exchange Server 2013.

Use the Import-ExchangeCertificate cmdlet to import a certificate or chain of certificates.

For information about the parameter sets in the Syntax section below, see Syntax.

Import-ExchangeCertificate -Instance <String[]> <COMMON PARAMETERS>
Import-ExchangeCertificate -FileData <Byte[]> <COMMON PARAMETERS>
Import-ExchangeCertificate -FileName <String> <COMMON PARAMETERS>
COMMON PARAMETERS: [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-FriendlyName <String>] [-Password <SecureString>] [-PrivateKeyExportable <$true | $false>] [-Server <ServerIdParameter>] [-WhatIf [<SwitchParameter>]]

This example imports an existing certificate and private key from the PKCS #12 file ExportedCert.pfx.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\ExportedCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

This example imports a chain of certificates from the PKCS #7 file IssuedCert.p7b.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\IssuedCert.p7b -Encoding byte -ReadCount 0)) 

You can use the Import-ExchangeCertificate cmdlet for the following purposes:

  • To import a certificate or chain of certificates from a PKCS #7 file that has been issued by a certification authority (CA). PKCS #7 is the Cryptographic Message Syntax Standard, a syntax used for digitally signing or encrypting data using public key cryptography, including certificates.

  • To import an existing certificate and private key from a PKCS #12 (.pfx or .p12) file to the certificate store on the local computer. PKCS #12 is the Personal Information Exchange Syntax Standard, a file format used to store certificates with corresponding private keys protected with a password. The standard is specified by RSA Laboratories. For more information, see the PKCS #12: Personal Information Exchange Syntax Standard website.

    There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration.
    In Microsoft Exchange Server 2013, to import data from a file, you must use the Get-Content cmdlet to retrieve file data and use the FileData parameter to specify the retrieved data. This can be done in a two-step process, or in a single step. Examples shown in this cmdlet use the single-step approach.

The certificate may be published in Active Directory for the purposes of direct trust by using mutual TLS if the following conditions are true:

  • The certificate is marked as an SMTP TLS certificate.

  • The Subject Name on the certificate matches the fully qualified domain name (FQDN) of the local computer.

The certificate may be published in Active Directory by Edge Subscription if the following conditions are true:

  • You import the certificate to an Edge Transport server.

  • The certificate has an FQDN that matches the server FQDN.

The Import-ExchangeCertificate cmdlet imports either a certificate that's issued from an outstanding request or a PKCS #12 file.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Certificate management" entry in the Exchange and Shell infrastructure permissions topic.


Parameter Required Type Description




The FileData parameter specifies the content retrieved from the certificate file using the Get-Content cmdlet. For implementation details, see the Examples section.




The FileName parameter specifies the name of the file that contains the certificate you want to import.




The Instance parameter specifies whether to pass a whole object to the command to be processed. This parameter is mainly used in scripts where a whole object must be passed to the command.




The Confirm switch causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm switch.




The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that writes this configuration change to Active Directory.

The DomainController parameter isn't supported on Edge Transport servers. An Edge Transport server uses the local instance of Active Directory Lightweight Directory Services (AD LDS) to read and write data.




The FriendlyName parameter specifies a friendly name for the resulting certificate. The friendly name must be less than 64 characters.

The default friendly name is Microsoft Exchange.




The Password parameter specifies the password for the private key that's imported with this command. Use the Get-Credential cmdlet to store the password variable.

The Get-Credential cmdlet prompts you for a user name and password, but only the password field is used to import the certificate. You don't have to use a real domain name or user name in the Name field. For implementation details, see the Examples section.




The PrivateKeyExportable parameter specifies whether the private key of the certificate can be exported.




The Server parameter specifies the server name to which you want to import the certificate.




The WhatIf switch instructs the command to simulate the actions that it would take on the object. By using the WhatIf switch, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf switch.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.