Home » Exchange Server » How to Export/Import an SSL Certificate to Multiple Exchange 2013 Servers

How to Export/Import an SSL Certificate to Multiple Exchange 2013 Servers

During your planning for SSL certificates for Exchange 2013 you may have chosen to use the same certificate on multiple servers.

The process for acquiring a certificate to be used on multiple servers is almost identical to the process for a single server. During the Exchange 2013 certificate request wizard you enter the fully qualified domain names for the Client Access server namespaces that the SSL certificate will be used for. As you can see here these do not need to include actual server names.

After completing the certificate request on the first server where the certificate request was originally generated you can then export the certificate and import it to additional servers with the following steps.

In the Exchange Administration Center navigate to Servers -> Certificates and choose the server that has the SSL certificate already installed.

Highlight the certificate to be exported, then click the “” (more) icon and choose Export Exchange Certificate.

Begin the export of an Exchange certificate

Enter a valid UNC path and the name of the file you wish to export to, and a password for the exported certificate.

Choose a path to store the exported certificate file

Complete the export Exchange certificate wizard.

Open the “more” icon again and this time choose Import Exchange Certificate (it does not matter at this stage which server you have selected in the drop-down list above the icons).

Begin the import of an SSL certificate to Exchange

Enter the UNC path to the file again, and the same password you used during the export.

Enter the UNC path and certificate password

Click the “+” icon and add any Exchange 2013 servers that you wish to import the certificate to.

Select the Exchange servers to import the SSL certificate to

Click Finish to complete the import wizard.

After you have imported the certificate to a server you can then proceed with assigning the SSL certificate to Exchange services.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

54 comments

  1. Lam Le says:

    Hi Paul,

    Do you know how to create a request for a cert that can be exported and import to TMG server? I think the private key needs to be set to “exportable”, but I don’t see anything from the UI to allow user to select that option.

    Thanks,

  2. Erik Townsend says:

    1) Can you use the same domain name for OWA, OAB, EWS, Exchange ActiveSync, Autodiscover and Outlook Anywhere, on both “when accessed from the intranet” and “when accessed from the internet”? example of domain: email.company.edu
    2) If you have 2 CAS and 2 Mailbox servers, Do you need a certificate for each server, or just the two CAS’s?
    3) I read the the OAB is run on the Mailbox servers. does this mean you can not set this up on the CAS? If it can not run on the CAS, then with my topology, it would have to run on the Mailbox Server and that would mean I would need a certificate for all four servers?

  3. Cecil Cheng says:

    You mentioned in your article on Exchange 2013 SSL certificates, that best practice is not to include the server names in the SAN certificate. How come you have included both exchange servers and the domain it in this article? Are there instances that this route (including the server names and domain) preferred than not? Thank you. Appreciate the presence of your website!

  4. Benjamin says:

    Hi Paul, i have a CAS server with all my names/urls setup and all is working well, i want to add 2 more additional CAS servers. Do i export the cert from the first one and then import it to the 2 new servers and then assign the services? I also need to make sure that the URL’s are the same as the first CAS as i will be removing it.

    Please help.
    thanks

  5. Fahad says:

    Hi,

    When I import pfx file using exchange ecp the certificate is imported but the friendly name field is empty and it does not let me edit it. Any idea how can I give a friendly name to certificate.

  6. Omri Nahman says:

    Hi Paul,

    When I’m trying to export the cert to a folder I created on one of my server I’m getting “The exported data cannot be written to the file. Access denied”.
    I have full permission for this folder as well as exchange trusted subsystem.

    Thanks for your time.

  7. locdp says:

    hello,
    i have 2 server CAS connect to internet by proxy server. So i use “netsh winhttp set proxy” to active Cert to “Valid”. When i set account mail by Pop3S/IMapS. I have issue: “Send test email message your server does not support the connection encryption type you have special…”

    So, What was wrong with me ? How i fix it ?

    p/s: Sorry for my bad English.

    Thanks you.

  8. barkmad says:

    With multiple Exchange servers do you have to share the private key? Sharing the private key often compromises it if sufficient controls are not in place, I would prefer one certificate per server, is this recommended and are there any rules to follow if this is possible, please?

    • The cert must be exported with the private key so it can be imported and enabled on the other servers.

      The recommended practice is to use the same certificate on all CAS that will be handling traffic for the same namespaces. If you use separate certificates clients will need to re-auth every time they switch CAS (eg for load balancing or because the CAS they were connecting to fails).

  9. flip says:

    I have two CAS servers. I have purchased an SSL cert and successfully installed it. I created the CSR on Server 1 and included Server 2 in the process. I successfully completed importing it on Server 1. The new SSL is listed and status is valid. In the same are I select Server 2 and successfully imported the new SSL. However, I don’t see it on the list of certs. Did I do something incorrect? Should I have submitted another csr request? How do I get the new SSL to show on the list on Server 2?

      • Flip says:

        I did this as well. I exported the completed process cert on Server1 and exported it. It exports it as a *.pfx file. I then select Server2 on the click on import, I specified Server on the wizard, then click finish. It imports successfully but it does list the new cert.

        I can repeat the same process but I have to remove the cert from Server2 for it to successfully import. I’ve restarted IIS and the server as well, it still wont show up….. What am I doing wrong?

        • Flip says:

          Nevermind Paul I got it to work.

          I found this on https://www.tbs-certificates.co.uk/FAQ/en/529.html

          I used Powershell and ran the following command.

          Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:certificatesExportedCert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password | Enable-ExchangeCertificate -Services “SMTP, IMAP, POP, IIS”

          Click Yes to overwrite.

          Verified the Cert was not on Server2 still. Then reran the wizard to import and now it shows up.

      • Ehtisham Qadir says:

        Hi Paul,

        Probably Galeboe situation applies to us too but, I just want to confirm. We are in co-existence 2010 and 2013. Since we changed External namespace we did not renewed Cert that was installed on 2010. We got new Cert with new namespace on Exchange 2013. Mailboxes are now on 2013 but, still Outlook shows “Security certificate is invalid or does not match” error. Is this because we don’t have new cert on Exchange 2010 ?

        • The Autodiscover URL on both Exchange 2010 and 2013 should be the same, and it should resolve in DNS to the Exchange 2013 server. That is the most likely cause of what you’re seeing, assuming your 2013 server is configured correctly.

          • Ehtisham Qadir says:

            Followed your instructions and it did resolved the issue. Thank you so much Paul, I really appreciate it.

  10. Chris McKelvy says:

    New 2013 box, imported the .p7b cert thru MMC fine. Imported the .crt thru EAC and it does not show up. It does not show up in EMC either. If I try to import again it tells me the cert with thumbprint ***** already exists. So I cannot delete or edit the cert in EAC.

    Any ideas?

  11. Saeed Khalifi says:

    Hi Paul.

    I tried to export certificate from my old server (to import it to my new server), but I got the following error:
    “A special Rpc error occurs on server XERXES-1: The private key couldn’t be exported as PKCS-12. It either couldn’t be accessed or isn’t exportable.”

    Any help would be appreciated.
    Thanks in advance

  12. Brent says:

    Paul,

    I already have an existing Wildcard cert, but I can’t get it to install in the CAS side of my Exchange 2013 servers. It shows up in the MB server for some reason, but when I try to add it to the CAS, I get an error of ‘The Exchange Certificate operation has failed with an exception on the server \Servername. The error message is: Access Denied.”

    When I look at the cert in my MB, the only services it offers as check boxes are SMTP and Microsoft Exchange Unified Messaging. Obviously I don’t want to go through the certificate setup, since I don’t need to purchase a cert, but I’m lost on how to resolve this issue, so my CAS will take my WC cert and I can continue.

    • Just guessing from the “Access Denied” error, the Exchange Trusted Subsystem group needs access to the UNC path where you’ve stored the exported certificate. Have you checked those permissions?

  13. guo says:

    hi,
    i have one question, can 2 CAS with NLB to install 2 different certificate with 2 https proxy access for single public IP.

  14. guo says:

    Sorry for confusing, the solution I think I got it.
    One customer want to use single public IP hosting two different domain owa/ecp, like a.com and b.com, while a.com already has SAN certificate not includes b.com, now want to have b.com certificate to install on CAS server, which is NLBed,
    Server front end there is no reverse proxy, only simple NAT,
    Now if internal CAS server do not have addtional NIC with additional IP, and public do not have additional public IP, then the two cert for a.com and b.com coexisting will not work, right, as using same default-site virtual directory, unless to create additional virtual direct with additional IP(internal and external), I read through link as below reference
    https://blogs.technet.microsoft.com/exchange/2015/02/11/configuring-multiple-owaecp-virtual-directories-on-the-exchange-2013-client-access-server-role/
    Could you give me the suggestion.

    • Well that article explains how to create separate OWA virtual directories. Since those virtual directories are on a different IIS website, you can bind a different certificate to it.

  15. Armando says:

    I did all the steps as you mention , but it appears that the certificate is not valid, the CAS servers need internet to validate output ?? or may be an incompatibility problem

  16. Hussain says:

    Hii Paul, We have 2 Exchange Servers 2013 ( Multiple Roles ( Mailbox and CAS)) configured. Both the Exchage servers are having different name space and external URL . But they are in DAG. So if i renew the CA , can i use the same certificate exported from Server 1 to server 2 or I need to issue a new one for server2?

  17. Mahesh says:

    Hi paul

    Currently i have a 2010 environment with dag and am planning to upgrade to 2013 and want to run both the environments parallely untill i complete the mail box migration from 2010 to 2013 Now am stuck with the certificate part of 2013 as i have 4 servers 2 for EX10 and 2 for EX10 how can i include both the environments in a single certificates and even for the CAS would you be able to help me on this.

    • If the certificate on the 2010 servers has the namespaces you’re going to use for 2013 (which is usually the case) then yes, you can usually re-use the certificate by exporting from 2010 and importing to 2013.

  18. saleem says:

    Hi Paul ,
    I want to bind the trusted CA certificate to the exchange service (intranet), which is right now running with self signed certificate. we need to configure some applications internally to utilize smtp which requires a trusted certificate. how can I do that

Leave a Reply

Your email address will not be published. Required fields are marked *