Applies to: Exchange Server 2013
Topic Last Modified: 2012-10-16
Use the Import-ExchangeCertificate cmdlet to import a certificate or chain of certificates.
For information about the parameter sets in the Syntax section below, see Syntax.
Import-ExchangeCertificate -Instance <String> <COMMON PARAMETERS>
Import-ExchangeCertificate -FileData <Byte> <COMMON PARAMETERS>
Import-ExchangeCertificate -FileName <String> <COMMON PARAMETERS>
COMMON PARAMETERS: [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-FriendlyName <String>] [-Password <SecureString>] [-PrivateKeyExportable <$true | $false>] [-Server <ServerIdParameter>] [-WhatIf [<SwitchParameter>]]
This example imports an existing certificate and private key from the PKCS #12 file ExportedCert.pfx.
Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path c:\certificates\ExportedCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password
This example imports a chain of certificates from the PKCS #7 file IssuedCert.p7b.
Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path c:\certificates\IssuedCert.p7b -Encoding byte -ReadCount 0))
You can use the Import-ExchangeCertificate cmdlet for the following purposes:
- To import a certificate or chain of certificates from a PKCS #7 file that has been issued by a certification authority (CA). PKCS #7 is the Cryptographic Message Syntax Standard, a syntax used for digitally signing or encrypting data using public key cryptography, including certificates.
- To import an existing certificate and private key from a PKCS #12 (.pfx or .p12) file to the certificate store on the local computer. PKCS #12 is the Personal Information Exchange Syntax Standard, a file format used to store certificates with corresponding private keys protected with a password. The standard is specified by RSA Laboratories. For more information, see the PKCS #12: Personal Information Exchange Syntax Standard website.
Important: There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Note: In Microsoft Exchange Server 2013, to import data from a file, you must use the Get-Content cmdlet to retrieve file data and use the FileData parameter to specify the retrieved data. This can be done in a two-step process, or in a single step. Examples shown in this cmdlet use the single-step approach.
The certificate may be published in Active Directory for the purposes of direct trust by using mutual TLS if the following conditions are true:
- The certificate is marked as an SMTP TLS certificate.
- The Subject Name on the certificate matches the fully qualified domain name (FQDN) of the local computer.
The certificate may be published in Active Directory by Edge Subscription if the following conditions are true:
- You import the certificate to an Edge Transport server.
- The certificate has an FQDN that matches the server FQDN.
The Import-ExchangeCertificate cmdlet imports either a certificate that’s issued from an outstanding request or a PKCS #12 file.
You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they’re not included in the permissions assigned to you. To see what permissions you need, see the “Certificate management” entry in the Exchange and Shell Infrastructure Permissions topic.
To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.
To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.