Renewing Exchange 2007 SSL Certificates

SSL Renewal Made Easy using the DigiCert Utility

If you'd like to renew your Exchange 2007 SSL Certificate with minimal use of the Exchange Management Shell please see our Exchange 2007 SSL renewal using the DigiCert Utility page.

Renew an SSL Certificate in the Exchange Management Shell

Best practices are to generate a new certificate signing request (CSR) when renewing your SSL certificate.

  1. Open the Exchange Management Shell on your Exchange 2007 server by clicking Start menu, clicking Programs, then clicking Microsoft Exchange 2007, and selecting Exchange Management Shell.

  2. Fill out the information in the DigiCert Exchange 2007 CSR Command Generator Tool, click Generate, then copy this command and paste it into the Exchange Management Shell.
    Your CSR file will be named 'c:\yourdomain_com.csr'.

    Preview of Easy CSR Command Generator for Exchange 2007

Renew Your SSL Certificate

Renew your SSL certificate from inside your DigiCert CertCentral account.

Are you new to the DigiCert team? You can "replace" your certificate with a DigiCert certificate. Order your new certificate here - Purchase Your DigiCert Certificate.

  1. Log into your CertCentral account.

  2. In CertCentral, in the left main menu, click Certificates > Expiring Certificates.

  3. On the Expiring Certificates page, next to the certificate you want to renew, click Renew Now.

    A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.

  4. Follow the instructions provided inside your account to renew your SSL certificate.

  5. Add your CSR

    When renewing the certificate, you'll need to include a CSR. On the "Renewal" page, under Certificate Settings, upload the CSR file you saved to the server.

    You can also use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in the Add Your CSR box.

  6. After you place the order to renew your certificate, DigiCert verifies your information.

  7. If we need any additional information, we will promptly contact you by phone or email. If no additional information is required, we will most likely issue your certificate within an hour.

Install your Certificate in the Exchange Management Shell

  1. Download the .ZIP file containing your certificate onto the Exchange server and extract the certificate file (e.g. mail_yourdomain_com.cer) to the root of the C Drive (C:\>).

  2. Open the Exchange Management Shell and run the command below to both import the certificate and to configure your Exchange 2007 server to use this certificate:

    Note: Both commands should be run on a single line in the shell and separated by a pipe '|'(Shift+'\') character. Red text should be edited to match your filename, domain name or thumbprint.

    Import-ExchangeCertificate -Path C:\>mail_yourdomain_com.cer | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
  3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command and verify that all of the services you chose are enabled because they are listed under the Services section.

    [PS] C:\> Get-ExchangeCertificate -DomainName
    Thumbprint                                Services   Subject
    ----------                                --------   -------
    136849A2963709E2753214BED76C7D6DB1E4A270  SIP.W
  4. Run the following command to both import your certificate to the server and enable it for exchange services (this should be run as a command on a single line):

    Import-ExchangeCertificate -Path C:\your_domain_name.cer| Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"

Test your Certificate Installation

Verify that your certificate is enabled for all of the services you selected by running the Get-ExchangeCertificate command. You should see that it lists the services you enabled: S - SMTP, I - IMAP, P - POP, W - Web (IIS).

[PS] C:\> Get-ExchangeCertificate -DomainName

In the Services section the letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS, i.e. Outlook Web Access).

If your certificate doesn't list all of the correct services, you can re-run the Enable-ExchangeCertificate command like this:

Enable-ExchangeCertificate -ThumbPrint [paste] -Services "SMTP, IMAP, POP, IIS"

You can also check your certificate by visiting The DigiCert Certificate Installation Checking Tool. Enter your domain name (e.g., and verify that the expiration date shows the new certificate's expiration date, and shows all green checkmarks.

Exchange 2007 Certificates, Guides, & Tutorials

Buy Now Learn More


  1. Quickly test your SSL installation by entering your certificate's Common Name or SAN (e.g., or into the SSL Installation Checker to diagnose common problems.

  2. If you have any SSL certificate errors try using the SSL Management Util for Windows.

  3. For other instructions regarding other certificate management questions check out the Common SSL Certificate Tasks page.

  4. Please contact our friendly support staff if you have any additional questions or problems.

SSL Certificate Renewal :: Exchange 2007

Learn how to renew your SSL Cert for Exchange 2007 by using the Exchange Management Shell