Assign certificates to Exchange services

 

Applies to: Exchange Server 2016

Topic Last Modified: 2016-03-01

Learn how to assign certificates to Exchange services in Exchange 2016.

After you install a certificate on an Exchange Server 2016 server, you need to assign the certificate to one or more Exchange services before the Exchange server is able to use the certificate for encryption. You can assign certificates to services in the Exchange admin center (EAC) or in the Exchange Management Shell. Once you assign a certificate to a service, you can't remove the assignment. If you no longer want to use a certificate for a specific service, you need to assign another certificate to the service, and then remove the certificate that you don't want to use.

The available Exchange services are described in the following table.

 

Service Uses

IIS

TLS encryption for internal and external client connections that use HTTP. This includes:

  • Autodiscover

  • Exchange ActiveSync

  • Exchange admin center

  • Exchange Web Services

  • Offline address book (OAB) distribution

  • Outlook Anywhere (RPC over HTTP)

  • Outlook MAPI over HTTP

  • Outlook on the web

IMAP

TLS encryption for IMAP4 client connections.

Don't assign a wildcard certificate to the IMAP4 service. Instead, use the Set-ImapSettings cmdlet to configure the fully qualified domain name (FQDN) that clients use to connect to the IMAP4 service.

POP

TLS encryption for POP3 client connections.

Don't assign a wildcard certificate to the POP3 service. Instead, use the Set-PopSettings cmdlet to configure the FQDN that clients use to connect to the POP3 service.

SMTP

TLS encryption for external SMTP client and server connections.

Mutual TLS authentication between Exchange and other messaging servers.

When you assign a certificate to SMTP, you are prompted to replace the default Exchange self-signed certificate that's used to encrypt SMTP communication between internal Exchange servers. Typically, you don't need to replace the default SMTP certificate.

Unified Messaging (UM)

TLS encryption for client connections to the backend UM service on Mailbox servers.

You can only assign a certificate to the UM service when the UM startup mode property of the service is set to TLS or Dual. If the UM startup mode is set to the default value TCP, you can't assign the certificate to the UM service. For more information, see Configure the startup mode on a Mailbox server.

Unified Messaging Call Router (UMCallRouter)

TLS encryption for client connections to the UM Call Router service in the Client Access services on Mailbox servers.

You can only assign a certificate to the UM Call Router service when the UM startup mode property of the service is set to TLS or Dual. If the UM startup mode is set to the default value TCP, you can't assign the certificate to the UM Call Router service. For more information, see Configure the startup mode on a Client Access server.

tipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

  1. Open the EAC, and navigate to Servers > Certificates.

  2. In the Select server list, select the Exchange server that holds the certificate.

  3. Select the certificate that you want to configure, and then click Edit Edit icon. The certificate needs to have the Status value Valid.

  4. On the Services tab, in the Specify the services you want to assign this certificate to section, select the services. Remember, you can add services, but you can't remove them. When you are finished, click Save.

To assign a certificate to Exchange services, use the following syntax:

Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services <Service1>,<Service2>... [-Server <ServerIdentity>]

This example assigns the certificate that has the thumbprint value 434AC224C8459924B26521298CE8834C514856AB to the POP, IMAP, IIS, and SMTP services.

Enable-ExchangeCertificate -Thumbprint 434AC224C8459924B26521298CE8834C514856AB -Services POP,IMAP,IIS,SMTP

You can find the certificate thumbprint value by using the Get-ExchangeCertificate cmdlet.

To verify that you have successfully assigned a certificate to one or more Exchange services, use either of the following procedures:

  • In the EAC at Servers > Certificates, verify the server where you installed the certificate is selected. Select the certificate, and in the details pane, verify that the Assigned to services property contains the services that you selected.

  • In the Exchange Management Shell on the server where you installed the certificate, run the following command to verify the Exchange services for the certificate:

    Get-ExchangeCertificate | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,Services
    
 
Show: