Import or export certificates for UM in Exchange Server

  • Article

Applies to: Exchange Server 2013, Exchange Server 2016

You can use the EAC or the Shell to import or export self-signed, internal public key infrastructure (PKI), or third-party commercial certificates. For Unified Messaging (UM), you can use one of these certificates for the Microsoft Exchange Unified Messaging service and the Microsoft Exchange Unified Messaging Call Router service. You can use the same certificate for both services, or a different certificate for each service.

Importing certificates for Exchange can be useful when you want to:

  • Import a certificate that was exported to a file.
  • Import a PKI certificate file that was generated by an internal certification authority.
  • Import a third-party commercial certificate.

Exporting an existing certificate from the certificate store on the local Exchange server can be useful when you want to:

  • Export it so that it can be imported on another Exchange server.
  • Export it so that it can be imported on a VoIP gateway, IP PBX, or SIP-enabled PBX.
  • Export the certificate so that you can back up the certificate and its private key.

For additional management tasks related to managing certificates for Unified Messaging, see Deploying certificates for UM procedures.

What do you need to know before you begin?

  • Estimated time to complete: 5 minutes.

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Certificate management" entry in the Exchange and Shell infrastructure permissions topic and the "UM service" entry in the Unified Messaging permissions topic. You must also log on by using an account that's a member of the local Administrators group on that computer.

  • Before you export a certificate, use the Get-ExchangeCertificate cmdlet to verify that the PrivateKeyExportable attribute on the certificate is set to $true.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.

Use the EAC to export a certificate

  1. In the EAC, click Servers > Certificates > More options More Options Icon., and then click Export Exchange certificate.
  2. On the Export Exchange certificate page, in the File to export to box, enter the name of the certificate file.
  3. In the Password box, enter the password that you want to use to protect the private key, and then click OK.

Use the Shell to export a certificate

This example exports the certificate with the Thumbprint A36DE2B9B62980A717EBD0C3052F5F0B08FBFFCC to a file after it prompts you for a password.

$file = Export-ExchangeCertificate -Thumbprint A36DE2B9B62980A717EBD0C3052F5F0B08FBFFCC -BinaryEncoded:$true -Password (Read-Host "Enter password" -AsSecureString)

This example does the following steps:

  • Uses the Get-ExchangeCertificate cmdlet to find the certificate that you want to export.

  • Uses the Export-ExchangeCertificate cmdlet to set the password for the certificate.

  • Outputs the certificate to a file after you input the password.

    $file = Get-ExchangeCertificate -DomainName umcorp.northwindtraders.com | Export-ExchangeCertificate -BinaryEncoded:$true -Password (Read-Host "Enter password" -AsSecureString)

Set-Content -Path "d:\umcerts\selfsigned.pfx" -Value $file.FileData =Encoding Byte

Use the EAC to import a certificate

  1. In the EAC, click Servers > Certificates > More options More Options Icon., and then click Import Exchange certificate.

  2. On the Import Exchange certificate page, in the File to import from box, enter the shared folder path and the name of the certificate file. If the certificate is protected with a password, enter the password in the Password box, and then click Next.

  3. Click Add Add Icon to select the servers that you want to apply the certificate to, and then click OK. If you want to remove a server from the list view, click Remove Remove icon, and then click Finish.

Use the Shell to import a certificate

This example imports a certificate from the d:\certificates\exchange\SelfSignedUMCert.pfx certificate file after you enter a username and password.

Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('D:\certificates\exchange\SelfSignedUMCert.pfx')) -Password:(Get-Credential).password