Installing & Configuring 3rd Party SSL Certificate in Exchange Server 2019

Exchange Server requires a Certificate to encrypt the Exchange Services. A Self-Signed Certificate is installed at the time of installation of Exchange Server and is used to encrypt internal SMTP communication.

For publishing the Exchange environment to the internet, we require a 3rd Party Certificate from a valid Certificate Authority like Comodo, Go Daddy,¬†Symantec, GeoTrust, Thawte, Rapid SSL¬†etc. to be installed.¬†👈

To encrypt communication with clients connecting to your Exchange Environment from external network¬†(e.g., remote users),¬†¬†its must to use a 3rd Party Certificate that’s automatically trusted by all clients, services and other partner organization servers.

There are two ways to install (or import) the Certificates on Exchange Servers. We can either use Exchange Admin Center (EAC) or Exchange Management Shell.

Types of Certificates we can install in Exchange Server:

a) PKCS #12 certificate files: The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. It require a password to be set up when the certificate file contains the private key or chain of trust.

If the Certificate is installed on an Exchange Server, we can easily export it by using the EAC or the Export-ExchangeCertificate with the PrivateKeyExportable parameter value $true. When we will export the cert, it asks to create a password which is used at the time of import of the certificate in case of adding new Server to the organization.

b) PKCS #7 certificate files/ P7B: A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat. These are text certificate files that have .p7b or .p7c filename extensions. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements.

A certificate authority might include a chain of certificates file that also needs to be installed along with the actual binary certificate file.

We can get the Certificates in two ways:

a) We can issue the Self Signed Certificates by Active Directory Certificate Services, by adding a role on Windows Server.

Self Signed Certificates can also be used to secure a particular website within an intranet, any services like HR portal, or an application used within an organization.

It has to be deployed on every client machine either by group policies or manually before its trusted in the client machine. It’s available free of cost.

Note: This type of certificate is not recommended if you are having hybrid environments, or with various partner organizations. (You have to pass on your SSL Cert to all sources you are dealing with)

b) This type of Certificate is widely accepted everywhere. To get it, we can contact commercial Certificate Authority (Public CA) which when issues the certificate is auto-trusted by mostly all the browsers, clients software, cloud services and if you are working with a partner organization.

The commercial certificate reduces admin effort, however, it incurs some cost.

How to install Exchange Certificates in Microsoft Exchange Server 2019:

a) Open EAC and navigate to Servers (left pane) – Certificates – click on More Options (3 dots)- Import Exchange Certificate.

b) Now share the folder where certificates are downloaded from 3rd Party CA. Enter the UNC path (\\Servername\sharedfoldername\certificate.cer or \\<LocalServerName>\c$\).

If you are using Exchange Management Shell, you can specify a local path of the folder.

Note: If the certificate file contains the private key or chain of trust, the file will be protected by a password. You can connect with the person who created the .pfx file from the .crt or the certificate authority if you face any password issues.

c) Specify the particular Exchange Server you want to apply the 3rd party Certificate. Click add icon (+) & select the Server – Finish.

Finally, we have added our 3rd party Certificate in our Exchange Server 2019. However, we have to add the Services which will be using this Certificate.

d) You will find that the certificate will be added in the list. Double click on the new 3rd Party Certificate and click Services – Select the services your organization use eg., SMTP, IIS, Pop, and Imap. Make sure to select SMTP and IIS and save.

If you get an overwrite warning message – proceed with Yes.

VerifyNot Secure” warning message disappeared or not 😎:

Close the browser, reopen and type your Exchange Web Address eg.,

I hope if you have followed all the above steps correct, you will not find “Not Secure” warning message 👈¬†😀

Note: To use “mail” before your domain, you have to add Host A record in the local DNS of your Server and point it towards the Private Static Ip of the Exchange Server (alternate address of https://localhost/ecp).

To check the status of Certificate using Exchange Management Shell:

Get-ExchangeCertificate | where {$_.Status -eq “Valid”} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

Live Video Demonstration of  How to Install & Configure Certificates in Exchange Server: 

How to renew the Certificates once expired?

There are two ways to renew the certificate:

1) Widely used by Organizations:

a) Open EACCertificates – Select the Server that holds the certificate that you want to renew.

b) Select Certificate you want to renew – in Action Pane, click Renew.

c) Give the UNC Path to create the new CSR to renew the certificate.

d) Upload or paste the new CSR in Certification Authority in the CSR option to issue the renewed certificate.

Each Certificate Authority has its own web interface, in case you face any issues, don’t hesitate to contact their technical support. They generally perform a quick cross-check verification before issuing the Certificates.

Note: We can also create the new CSR from IIS Manager.

2) If you need a new certificate for your test or demo lab, you can issue the new certificate from scratch by adding manually all the desired Subject Alternate Names (SAN) to be included in your Certificate. This is an easy method of getting 3rd party certificates.


Installing Certificates either for the website, services running on a server or an application is extremely important for any organization. Also, its difficult to cover every scenario of installing or configuring Certificates in an article as there will be a lot of variables depending on the specific environment.

Before you deploy any solution I recommend that you test thoroughly first in a test environment, or at the very least have a clear rollback plan if something unexpected occurs.

If you want to know more about Certificates, and have any concerns regarding installing, adding, renewing of the certificates for your test or production environment, don’t hesitate to post your comments below and I assure you to provide the resolution asap for your issue.

Must Read: Exchange Hybrid Setup in Office 365 Step by Step

Subscribe Us


Total Page Visits: 8238 - Today Page Visits: 3

Add a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.