How to Import and Export your SSL Certificate in Exchange 2007

PFX Backup Tutorial for Microsoft Exchange 2007 Servers

Want an easier way to export? Our management & troubleshooting tool works on all Windows-based servers.

Windows servers use .pfx files to contain the public key files (your SSL Certificate files, provided by DigiCert) and the associated private key file (generated by your server as part of the CSR).

Since both the public and private keys are needed for an SSL Certificate to function, you need a .pfx backup to transfer SSL server security certificates from one server to another.

This page explains how to back up your certificate on a working server, import the certificate to another server, and then enable the certificate for use on the new server. If you have not yet installed the certificate files that you received from DigiCert on the server that generated your CSR, please see our Exchange 2007 installation instructions page.

Exporting/Backing Up to a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.

  3. Click Certificates > Add and then close the Add Standalone Snap-in window. Click OK.

  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Export.
  7. Follow the wizard to export your primary certificate to a .pfx file. Choose Yes, export the private key.
  8. Choose to include all certificates in certificate path if possible.
    Warning: Do not select the delete private key option.
  9. Leave the default settings and enter your password if required. Choose the location to save the file and click Finish. You will receive an export successful message. The .pfx file is now saved in the location you selected.

Importing from a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add and then close the Add Standalone Snap-in window. Click OK.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the Add Standalone Snap-in window and the Add/Remove Snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the Personal Certificates Store folder and select ALL TASKS > Import.
  7. Follow the certificate import wizard to import your primary certificate from a .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Enabling a New Certificate on a Server

  1. Run the following Get-ExchangeCertificate command to get your certificate thumbprint. Replace the text in red to match your domain.

    [PS] C:\> Get-ExchangeCertificate -DomainName your.domain.name
    
    Thumbprint                                Services   Subject
    ----------                                --------   -------
    136849A2963709E2753214BED76C7D6DB1E4A270  .....      CN=your.domain.name
  2. Run the following Enable-ExchangeCertificate command to enable your certificate for use with Exchange. Replace the text in red to match your thumbprint.

    Enable-ExchangeCertificate -ThumbPrint [paste_your_thumbprint] -Services "SMTP, IMAP, POP, IIS"
  3. You can now re-run the Get-ExchangeCertificate command to verify that the certificate was successfully installed.

    In the Services column, the letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS).

  4. Test your certificate by connecting to your server with IE, ActiveSync, or Outlook.

    If you are using ISA 2004 or ISA 2006 you need to reboot your servers.