We recommend using the Exchange Management Shell for installation of the SSL Certificate on a server with Exchange 2007.
In the same way as the CSR code generation, you will need to use commands with the corresponding parameters of the cmdlet. First, make sure that you have saved the Validated Certificate, which was sent to you by the Certificate Authority, to the root directory of the C drive. That file should be in format suitable for the Exchange server, this can be either .cer, .p7b or .p7s .
Next, import of the saved SSL Certificate. For this, open EMS (Exchange Management Shell):
Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell
and then run two commands together - one for the installation of the Certificate at the server and one enabling it for the required services. Both commands should be in the same line, separated by a pipe character:
Import-ExchangeCertificate -Path C:www.example.com.cer | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
- C:www.example.com.cer – path to the saved validated SSL certificate;
- "SMTP, IMAP, POP, IIS" – all the required services should be mentioned.
If you are installing a certificate in PEM (X.509) format: After installation you will need to follow the procedure outlined in "Root and Intermediate Certificate installation via MMC", with the other files that you have been sent, in order to complete the installation.
Installation of the Certificate can be verified by command:
Get-ExchangeCertificate -DomainName www.example.com
In the Services column you will see SIP and W which stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn't properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as:
Enable-ExchangeCertificate -ThumbPrint [paste] -Services "SMTP, IMAP, POP, IIS"
If the installation returned the error message: “The certificate with thumbprint [XXX] was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing)” then use one of the solutions below, depending on the reason for the error.
- CSR code and RSA Key pair was generated at another server. In this case, you need to import your key before the installation;
- RSA Key was lost/deleted. In this case, enabling of the Certificate is not possible. You need to reissue the certificate using a new CSR code, generated via EMS;
- If none of the above explanations describe your situation, and you are not able to detect the issue, try to run the command certutil -repairstore my "YourSerialNumber" command (quotes included). If your private key was somehow corrupted, but is still on the server, this command will resolve the issue. If the key is corrupted, the certificate icon will be missing the golden key in ‘Personal Certificates’ in mmc).
Here is a more detailed instructions on how to resolve the issue defined in the last case:
Enter MMC (Microsoft Management Console) > add the Certificate Snap-In for the Local Computer account > double-click on the imported certificate in Personal Certificates > select the ‘Details’ tab > click on the ‘Serial Number’ field and copy that string.
Type: certutil -repairstore my "YourSerialNumber"
- After that, go back to the MMC and right-click Certificates and select Refresh
- Double-click on the problem certificate. At the bottom in General tab you will see: "You have a private key that corresponds to this certificate."
- The Private Key is attached to the certificate now. Try to install Certificate once again.
As an alternative, to confirm that all required steps have been completed, and that the certificate is both installed and operational, run the following command:
Get- ExchangeCertificate < ThumbPrint > | fl