Applies to: Exchange Server 2013

This cmdlet is available only in on-premises Exchange Server 2013.

Use the Get-ExchangeCertificate cmdlet to view certificates in the local certificate store.

For information about the parameter sets in the Syntax section below, see Syntax.

Get-ExchangeCertificate [-Server <ServerIdParameter>] [-Thumbprint <String>] <COMMON PARAMETERS>
Get-ExchangeCertificate [-Identity <ExchangeCertificateIdParameter>] <COMMON PARAMETERS>
Get-ExchangeCertificate [-Instance <X509Certificate2>] [-Server <ServerIdParameter>] <COMMON PARAMETERS>
COMMON PARAMETERS: [-DomainController <Fqdn>] [-DomainName <MultiValuedProperty>]

This example returns all certificates stored on the Client Access server named ClientAccess01.

Get-ExchangeCertificate -Server ClientAccess01

This example returns the properties of a specified certificate in a formatted list.

The Thumbprint parameter is a positional parameter so you can provide only the thumbprint value without the Thumbprint parameter name.
Get-ExchangeCertificate 0271A7F1CA9AD8A27152CCAE044F968F068B14B8 | Format-List *

This example shows which certificate Exchange will select for the domain name A Send or Receive connector selects the certificate to use based on the fully qualified domain name (FQDN) of the connector. If you have multiple certificates with the same FQDN, you can see which certificate Exchange will select by using the DomainName parameter to specify the FQDN. The first certificate returned is the certificate Exchange will select.

Get-ExchangeCertificate -DomainName

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Certificate management" entry in the Exchange and Shell infrastructure permissions topic.


Parameter Required Type Description




The DomainController parameter specifies the fully qualified domain name (FQDN) of the domain controller that retrieves data from Active Directory.

The DomainController parameter isn't supported on Edge Transport servers. An Edge Transport server uses the local instance of Active Directory Lightweight Directory Services (AD LDS) to read and write data.




The DomainName parameter specifies whether to return all certificates that contain the specified domain name in the Subject Name or the Subject Alternative Name fields.




The Identity parameter specifies the certificate ID.




The Instance parameter is no longer used and will be deprecated.




The Server parameter specifies the Exchange server from which you want to get the certificate. You can use any value that uniquely identifies the Exchange server.

If you run Get-ExchangeCertificate on a Client Access server, and you don't use the Server parameter to specify the local server, the command returns the results from a Mailbox server.




The Thumbprint parameter specifies a certificate thumbprint. Each certificate contains a thumbprint, which is the digest of the certificate data.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.