Home » Exchange Server » Assign an SSL Certificate to Exchange Server 2016 Services

Assign an SSL Certificate to Exchange Server 2016 Services

When an SSL certificate has been installed for Exchange Server 2016 you need to assign it to Exchange services before it will be used. This task can be performed in the Exchange Admin Center.

Navigate to servers, then certificates, and select the server that has the SSL certificate you wish to enable for Exchange services.


Select the SSL certificate and click the edit icon.


Select services, then tick the boxes for each service you wish to enable.

  • IIS is used for all HTTPS services (such as OWA, ActiveSync, Outlook Anywhere). Only one certificate can be assigned to IIS, so it’s important that the certificate contains all of the correct names configured as URLs for your HTTPS services.
  • SMTP is used for TLS-encrypted mail flow. More than one certificate can be assigned to SMTP.
  • POP and IMAP are disabled by default in Exchange Server 2016, but if you are planning to enable them you should assign a certificate, whether that is the same certificate used for HTTPS or a different one.
  • UM is optional as well. If you are planning to use the UM features of Exchange Server 2016 enable a certificate for UM as well, again that can be the same certificate as used for HTTPS services or a different one.


Click Save when you’ve select the services you need to use the SSL certificate for. If you are assigning an SMTP certificate you may be prompted to overwrite the default SMTP certificate. SMTP can have multiple certificates assigned, and for a simple deployment where the single SSL certificate you acquired contains the SMTP namespace you plan to use on connectors it is generally fine to say Yes to this prompt.


After you’ve completed those steps the SSL certificate will be used by Exchange for those services you selected.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. Bob says:

    I need to use IMAPS and SMTPS for some Thunderbird clients. I can connect using TB and can access a users mailbox no problem. The problem I have is that when I try to send email I get a certificate warning as SMTPS (port 587) is using the self signed certificate which is assigned to IIS and SMTP. My wildcard certificate is also assigned to IIS and SMTP but for some reason the self signed certificate is being used when the TB clients try to send email. I cant change the certificate services in the EAC as the services are greyed out for both self signed AND wildcard cert and using the powershell hasn’t helped so far.

    So how can I get port 587/SMTPS to use my trusted wildcard cert rather than the self signed one?

  2. LCOUSTEIX says:

    Hello Paul,
    In a deployement that have 2 CAS servers and 2 MBX servers,
    On CAS, we have added the IMAP onto the SSL cert we currently for https
    But do we need to add the same SAN cert on our MBX to declare on it IMAP /POP services?


  3. Steve says:

    I’m getting the following error. Previously exported this Cert with exportable private key:

    The imported certificate file for server DC3-EXCH-A failed to access for the following reason: The account used is a computer account. Use your global user account or local user account to access this server.
    + CategoryInfo : InvalidOperation: (:) [Import-ExchangeCertificate], InvalidOperationException
    + FullyQualifiedErrorId : [Server=DC3-EXCH-A,RequestId=9b5e17e4-b5f3-49cb-9311-7ad7b61fbc18,TimeStamp=6/17/2017 6:
    25:54 AM] [FailureCategory=Cmdlet-InvalidOperationException] BB29AC45,Microsoft.Exchange.Management.SystemConfigur
    + PSComputerName : dc3-exch-a.XXX.com

    Logged on as Domain / Organization Admin

Leave a Reply

Your email address will not be published. Required fields are marked *