Import-Export SSL Certificate


How to Import and Export your SSL Certificate in Exchange Server

PFX Backup Tutorial for Microsoft Exchange Servers

Windows servers use .pfx files contain the public key files and the associated private key file.

Since both the public and private keys are needed for an SSL Certificate to function, you need a .pfx backup to transfer SSL server security certificates from one server to another.

This page explains how to back up your certificate on a working server, import the certificate to another server, and then enable the certificate for use on the new server. If you have not yet installed the certificate files on the server that generated your CSR, please see our Exchange Certificate installation page.

Exporting/Backing Up to a .pfx File

  1. On the Start menu click Runand then type mmc.
  2. Click File > Add/Remove Snap-in.cert export (1)
  3. Click Certificates > Addand then close the Add Standalone Snap-in window. Click OK.                                  cert export (2)cert export (3)
  4. Select Computer Accountand then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the +to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Export.
  7. Follow the wizard to export your primary certificate to a .pfx file. Choose Yes, export the private key.
  8. Choose to include all certificates in certificate path if possible.
    Warning:Do not select the delete private key option.
  9. Leave the default settings and enter your password if required. Choose the location to save the file and click Finish. You will receive an export successful message. The .pfx file is now saved in the location you selected.

Importing from a .pfx File

  1. On the Start menu click Runand then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Addand then close the Add Standalone Snap-in window. Click OK.
  4. Select Computer Accountand then click Next. Select Local Computer and then click Finish. Then close the Add Standalone Snap-in window and the Add/Remove Snap-in window.
  5. Click the +to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the Personal Certificates Store folder and select ALL TASKS > Import.
  7. Follow the certificate import wizard to import your primary certificate from a .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Enabling a New Certificate on a Server

  1. Run the following Get-ExchangeCertificate command to get your certificate thumbprint. Replace the BOLD text to match your domain.

Get-ExchangeCertificate -DomainName domain.name

Thumbprint Services                                                                Subject

136849A2963709E2753214BED76C7D6DB1E4A270  …..      CN=your.domain.name

  1. Run the following Enable-ExchangeCertificate command to enable your certificate for use with Exchange. Replace the BOLD text to match your thumbprint.

Enable-ExchangeCertificate -ThumbPrint [paste_your_thumbprint] -Services “SMTP, IMAP, POP, IIS”

  1. You can now re-run the Get-ExchangeCertificate command to verify that the certificate was successfully installed.

In the Services column, the letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS).

  1. Test your certificate by connecting to your server with IE, ActiveSync, or Outlook.

If you are using ISA 2004 or ISA 2006 you need to reboot your servers.

 

Advertisements