Any suggestions? Export (0) Print
Expand All



Applies to: Exchange Server 2016

This cmdlet is available only in on-premises Exchange Server 2016.

Use the Import-ExchangeCertificate cmdlet to import a certificate or chain of certificates.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Import-ExchangeCertificate -Instance <String[]> <COMMON PARAMETERS>
Import-ExchangeCertificate -FileData <Byte[]> <COMMON PARAMETERS>
Import-ExchangeCertificate -FileName <String> <COMMON PARAMETERS>
COMMON PARAMETERS: [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-FriendlyName <String>] [-Password <SecureString>] [-PrivateKeyExportable <$true | $false>] [-Server <ServerIdParameter>] [-WhatIf [<SwitchParameter>]]

This example imports an existing certificate and private key from the PKCS #12 file ExportedCert.pfx.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\ExportedCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

This example imports a chain of certificates from the PKCS #7 file IssuedCert.p7b.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\IssuedCert.p7b -Encoding byte -ReadCount 0))

You can use the Import-ExchangeCertificate cmdlet for the following purposes:

  • To import a certificate or chain of certificates from a PKCS #7 file that has been issued by a certification authority (CA). PKCS #7 is the Cryptographic Message Syntax Standard, a syntax used for digitally signing or encrypting data using public key cryptography, including certificates. For more information, see PKCS #7: Cryptographic Message Syntax Standard.

  • To import an existing certificate and private key from a PKCS #12 (.pfx or .p12) file to the certificate store on the local computer. PKCS #12 is the Personal Information Exchange Syntax Standard, a file format used to store certificates with corresponding private keys protected with a password. The standard is specified by RSA Laboratories. For more information, see the PKCS #12: Personal Information Exchange Syntax Standard website.

    There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration.
    In Microsoft Exchange, to import data from a file, you need to use the Get-Content cmdlet to retrieve file data and use the FileData parameter to specify the retrieved data. This can be done in a two-step process, or in a single step. Examples shown in this cmdlet use the single-step approach.

The certificate may be published in Active Directory for the purposes of direct trust by using mutual TLS if the following conditions are true:

  • The certificate is marked as an SMTP TLS certificate.

  • The Subject Name on the certificate matches the fully qualified domain name (FQDN) of the local computer.

The certificate may be published in Active Directory by Edge Subscription if the following conditions are true:

  • You import the certificate to an Edge Transport server.

  • The certificate has an FQDN that matches the server FQDN.

The Import-ExchangeCertificate cmdlet imports either a certificate that's issued from an outstanding request or a PKCS #12 file.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Certificate management" entry in the Exchange infrastructure and PowerShell permissions topic.


Parameter Required Type Description




The FileData parameter specifies the content retrieved from the certificate file.

A valid value for this parameter requires you to read the file to a byte-encoded object using the Get-Content cmdlet. For example, ([Byte[]](Get-Content -Encoding Byte -Path "C:\My Documents\<filename>" -ReadCount 0)).




The FileName parameter specifies the name of the file that contains the certificate you want to import.




The Instance parameter specifies whether to pass a whole object to the command to be processed. This parameter is mainly used in scripts where a whole object must be passed to the command.




The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.

  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.




The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example,

The DomainController parameter isn't supported on Edge Transport servers. An Edge Transport server uses the local instance of Active Directory Lightweight Directory Services (AD LDS) to read and write data.




The FriendlyName parameter specifies a friendly name for the resulting certificate. The friendly name must be less than 64 characters.

The default friendly name is Microsoft Exchange.




The Password parameter specifies the password for the private key that's imported with this command. Use the Get-Credential cmdlet to store the password variable.

This parameter requires you to create a credentials object by using the Get-Credential cmdlet. For more information, see Get-Credential.

The Get-Credential cmdlet prompts you for a user name and password, but only the password field is used to import the certificate. You don't have to use a real domain name or user name in the Name field. For implementation details, see the Examples section.




The PrivateKeyExportable parameter specifies whether the private key of the certificate can be exported.




The Server parameter specifies the Exchange server where you want to run this command. You can use any value that uniquely identifies the server. For example:

  • Name

  • FQDN

  • Distinguished name (DN)

  • Exchange Legacy DN

If you don't use this parameter, the command is run on the local server.




The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

© 2016 Microsoft