How to

Microsoft Exchange 2007 - SSL/TLS Certificate Installation Instructions

How to install a SSL/TLS Certificate on Microsoft Exchange 2007.

How do I install a SSL/TLS certificate on Microsoft Exchange 2007?

 Before you begin

  • Never share private key files. 
  • If you plan on using the same certificate on multiple servers always transfer the private key using a secure method (e-mail is not considered a secure method of transfer).
  • Make sure you run the SSL Server Test at the end of the installation process to check your certificate configuration against SSL/TLS Best Practices.


Installing your  SSL/TLS Certificate on Microsoft Exchange 2007

 1. Click the Download button in the pickup wizard to download your certificate files. Clicking the download button will produce a zip file that includes your Server Certificate, the  chain/intermediate certificates(s) and the Root certificate. Extract the files from the zip file.

2. On the server, go to Start > Run > type MMC and hit enter. 

3. Click File > Add Remove Snap-in. 

4. Select Certificates and click Add.

5. Select Local Computer and click Finish.

6. Click Close.

7. Expand Certificates on the left hand side of the console window.

8. Expand the Trusted Root Certification Authorities folder and click on the Certificates sub-folder.
9. Important: Check the list of Trusted Root Certificates to see if there is a root labeled Root Certification Authority - G2.  If this root is present, delete the root from the list. You will install another root certificate and chain your certificate to that root to provide backwards compatibility with older devices that do not include the newer SHA-2 root certificate. 

10. Right click on the Certificates sub-folder under Trusted Root Certification Authorities and select All Tasks > Import. 

11. In the import wizard, browse to the Root.crt file downloaded in step 1 and complete the wizard. 

12. In the MMC console, expand the Intermediate Certification Authorities folder. Right click on the Certificates sub-folder and select All Tasks > Import.

13. In the import wizard, browse to the Intermediate1.crt file downloaded in step 1 and complete the wizard.

14. Right click on the Certificates sub-folder under Intermediate Certification Authorities and select All Tasks > Import.

15. In the import wizard, browse to the Intermediate2.crt file downloaded in step 1 and complete the wizard to complete the certificate chain setup process. You should see your Entrust Intermediate certificates listed in the Intermediate Certification Authorities folder. You are now ready to install your signed server certificate. 

16. As an Administrator on the server, open the Exchange Management shell by clicking Start > Exchange Management Shell.

17. You will need to run a command to import the Server Certificate file that was downloaded in step 1 and a command to enable the desired Exchange services. This can be done in a single command by using the pipe delimiter. To simplify the command, place your ServerCertificate.crt file in your C drive. 

Import-ExchangeCertificate -Path C:\<u>ServerCertificate.crt</u> | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"

18. To verify that the previous command was successful, run the following command:


This command will display a list of all of the certificates available on the server.  Check the Subject column to identify the certificate that you just imported in the previous step. Check the corresponding Services column to ensure the correct services have been enabled.   In the Services Column:

  • 'S' is the SMTP Service
  • 'I' is the IMAP Service
  • 'P' is the POP Service
  • 'W' is IIS which is used for Webmail and Active Sync

If the proper services are not enabled, run the following command and provide your certificate thumprint. The certificate thumprint value should have been part of the ouput of the Get-ExchangeCertificate command.

Enable-ExchangeCertificate -ThumbPrint [Certificate Thumbprint Value] -Services "SMTP, IMAP, POP, IIS"

Additional Instructions: Microsoft ISA Server

If you are running Microsoft Internet Security Server (ISA), you must export your certificate and private key and install it on the ISA server. You can find instructions here.