How to Trust the Default SSL Certificate

Exchange 2007

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Topic Last Modified: 2007-03-29

By default, when you install Microsoft Exchange Server 2007 with the Client Access server role, a self-signed Secure Sockets Layer (SSL) digital certificate is installed. You can use this self-signed certificate to establish SSL encryption for communications between the client computers and mobile devices and the Client Access server. The self-signed certificate is supported for use with Exchange ActiveSync and Microsoft Office Outlook Web Access. It is not supported for Outlook Anywhere.

To use the self-signed certificate, you must install a copy of it in the trusted root certificate store or personal certificate store for the client computers and devices that will connect to the Client Access server. This topic explains how to export a copy of the self-signed certificate to be installed in other locations.

We recommend that you require all external clients to use SSL to connect to Exchange Server 2007.

To export a copy of the self-signed certificate, you must first obtain the thumbprint of the certificate. The thumbprint is an identifying string that is associated with a digital certificate. After you have obtained the thumbprint, you can export a copy of the digital certificate by using this thumbprint.

To perform the following procedure, the account you use must be delegated the Exchange View-Only Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

  • Run the following command:

    Get-ExchangeCertificate -DomainName 

  • Run the following command:

    Export-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -BinaryEncoded:$true -Path c:\certificates\export.pfx -Password:(Get-Credential).password

    The value for Thumbprint is from the first certificate that was listed in the output for the Get-ExchangeCertificate cmdlet.

For more information about syntax and parameters, see Get-ExchangeCertificate and Export-ExchangeCertificate.

For more information about security and Exchange 2007, see the following topics: