Any suggestions? Export (0) Print
Expand All



Applies to: Exchange Server 2016

This cmdlet is available only in on-premises Exchange Server 2016.

Use the Get-ExchangeCertificate cmdlet to view certificates in the local certificate store on Exchange servers.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Get-ExchangeCertificate [-Server <ServerIdParameter>] [-Thumbprint <String>] <COMMON PARAMETERS>
Get-ExchangeCertificate [-Identity <ExchangeCertificateIdParameter>] <COMMON PARAMETERS>
Get-ExchangeCertificate [-Instance <X509Certificate2>] [-Server <ServerIdParameter>] <COMMON PARAMETERS>
COMMON PARAMETERS: [-DomainController <Fqdn>] [-DomainName <MultiValuedProperty>]

This example returns a summary list of all certificates stored on the server named Mailbox01.

Get-ExchangeCertificate -Server Mailbox01

This example returns detailed information for the specified certificate.

The Identity parameter is a positional parameter so you can provide the value without the Identity parameter name.
Get-ExchangeCertificate 0271A7F1CA9AD8A27152CCAE044F968F068B14B8 | Format-List

This example shows which certificate Exchange will select for the domain name A Send or Receive connector selects the certificate to use based on the fully qualified domain name (FQDN) of the connector. If you have multiple certificates with the same FQDN, you can see which certificate Exchange will select by using the DomainName parameter to specify the FQDN. The first certificate returned is the certificate Exchange will select.

Get-ExchangeCertificate -DomainName

By default, this cmdlet returns the following certificate properties in the summary list view:

  • Thumbprint   The unique digest of the certificate data. An example thumbprint value is 78E1BE82F683EE6D8CB9B9266FC1185AE0890C41.

  • Services   The Exchange services that are configured for certificate. You can configure the services when you create self-signed certificates by using the Exchange admin center or the New-ExchangeCertificate cmdlet. When you create certificate requests to receive a certificates from a Certificate Authority (CA), you can specify the Exchange services after you install the certificates by using the Enable-ExchangeCertificate cmdlet.

    Values are:

    None   You'll see this value in certificates that aren't used with Exchange. For example, the WMSvc-<ServerName> certificate that's used for the IIS Web Management Service.

    Federation   You can only add this service to certificates by using the Set-FederationTrust cmdlet.







    You can specify multiple values separated by commas.

  • Subject   Contains the domain names and host names in the certificate's Subject Name or Subject Alternative Name fields.

If you append | Format-List to the command, the cmdlet returns these additional certificate properties:

  • HasPrivateKey   Whether or not the certificate contains a private key.

  • IsSelfSigned   Whether or not the certficate is self-signed.

  • Issuer   Who issued the certificate.

  • NotAfter   The certificate expiration date.

  • NotBefore   The certificate issue date.

  • PublicKeySize   The size of the public key in bytes.

  • RootCAType   The type of CA that signed the certificate. Values are:

    None  This value is found on the Microsoft Exchange Server Auth Certificate (the root certificate that's used to sign Exchange self-signed certificates).



    Registry  This value is found on Exchange self-signed certificates.



  • SerialNumber   The unique serial number of the certificate.

  • Status   The status of the certificate. Values are:









You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Certificate management" entry in the Exchange infrastructure and PowerShell permissions topic.


Parameter Required Type Description




The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example,

The DomainController parameter isn't supported on Edge Transport servers. An Edge Transport server uses the local instance of Active Directory Lightweight Directory Services (AD LDS) to read and write data.




The DomainName parameter filters the results by the domain name or host name values in the Subject Name or the Subject Alternative Name fields. You can specify multiple values separated by commas.




The Identity parameter specifies the certificate that you want to view. You identify the certificate by its thumbprint value.

You can't use this parameter with the Server parameter.




The Instance parameter is no longer used and will be deprecated.




The Server parameter specifies the Exchange server where you want to run this command. You can use any value that uniquely identifies the server. For example:

  • Name

  • FQDN

  • Distinguished name (DN)

  • Exchange Legacy DN

If you don't use this parameter, the command is run on the local server.

You can't use this parameter with the Identity parameter.




The Thumbprint parameter filters the results on the server by the certificate thumbprint. You use this parameter with the Server parameter.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.

© 2016 Microsoft