How to Export/Import an SSL Certificate to Multiple Exchange 2013 Servers

During your planning for SSL certificates for Exchange 2013 you may have chosen to use the same certificate on multiple servers.

The process for acquiring a certificate to be used on multiple servers is almost identical to the process for a single server. During the Exchange 2013 certificate request wizard you enter the fully qualified domain names for the Client Access server namespaces that the SSL certificate will be used for. As you can see here these do not need to include actual server names.

After completing the certificate request on the first server where the certificate request was originally generated you can then export the certificate and import it to additional servers with the following steps.

In the Exchange Administration Center navigate to Servers -> Certificates and choose the server that has the SSL certificate already installed.

Highlight the certificate to be exported, then click the “” (more) icon and choose Export Exchange Certificate.

Begin the export of an Exchange certificate

Enter a valid UNC path and the name of the file you wish to export to, and a password for the exported certificate.

Choose a path to store the exported certificate file

Complete the export Exchange certificate wizard.

Open the “more” icon again and this time choose Import Exchange Certificate (it does not matter at this stage which server you have selected in the drop-down list above the icons).

Begin the import of an SSL certificate to Exchange

Enter the UNC path to the file again, and the same password you used during the export.

Enter the UNC path and certificate password

Click the “+” icon and add any Exchange 2013 servers that you wish to import the certificate to.

Select the Exchange servers to import the SSL certificate to

Click Finish to complete the import wizard.

After you have imported the certificate to a server you can then proceed with assigning the SSL certificate to Exchange services.

Comments

  1. Lam Le says

    Hi Paul,

    Do you know how to create a request for a cert that can be exported and import to TMG server? I think the private key needs to be set to “exportable”, but I don’t see anything from the UI to allow user to select that option.

    Thanks,

  2. Erik Townsend says

    1) Can you use the same domain name for OWA, OAB, EWS, Exchange ActiveSync, Autodiscover and Outlook Anywhere, on both “when accessed from the intranet” and “when accessed from the internet”? example of domain: email.company.edu
    2) If you have 2 CAS and 2 Mailbox servers, Do you need a certificate for each server, or just the two CAS’s?
    3) I read the the OAB is run on the Mailbox servers. does this mean you can not set this up on the CAS? If it can not run on the CAS, then with my topology, it would have to run on the Mailbox Server and that would mean I would need a certificate for all four servers?

  3. Cecil Cheng says

    You mentioned in your article on Exchange 2013 SSL certificates, that best practice is not to include the server names in the SAN certificate. How come you have included both exchange servers and the domain it in this article? Are there instances that this route (including the server names and domain) preferred than not? Thank you. Appreciate the presence of your website!

  4. Benjamin says

    Hi Paul, i have a CAS server with all my names/urls setup and all is working well, i want to add 2 more additional CAS servers. Do i export the cert from the first one and then import it to the 2 new servers and then assign the services? I also need to make sure that the URL’s are the same as the first CAS as i will be removing it.

    Please help.
    thanks

  5. Fahad says

    Hi,

    When I import pfx file using exchange ecp the certificate is imported but the friendly name field is empty and it does not let me edit it. Any idea how can I give a friendly name to certificate.

  6. Omri Nahman says

    Hi Paul,

    When I’m trying to export the cert to a folder I created on one of my server I’m getting “The exported data cannot be written to the file. Access denied”.
    I have full permission for this folder as well as exchange trusted subsystem.

    Thanks for your time.

  7. locdp says

    hello,
    i have 2 server CAS connect to internet by proxy server. So i use “netsh winhttp set proxy” to active Cert to “Valid”. When i set account mail by Pop3S/IMapS. I have issue: “Send test email message your server does not support the connection encryption type you have special…”

    So, What was wrong with me ? How i fix it ?

    p/s: Sorry for my bad English.

    Thanks you.

Leave a Reply

Your email address will not be published. Required fields are marked *