How to Export/Import an SSL Certificate to Multiple Exchange 2013 Servers

During your planning for SSL certificates for Exchange 2013 you may have chosen to use the same certificate on multiple servers.

The process for acquiring a certificate to be used on multiple servers is almost identical to the process for a single server. During the Exchange 2013 certificate request wizard you enter the fully qualified domain names for the Client Access server namespaces that the SSL certificate will be used for. As you can see here these do not need to include actual server names.

After completing the certificate request on the first server where the certificate request was originally generated you can then export the certificate and import it to additional servers with the following steps.

In the Exchange Administration Center navigate to Servers -> Certificates and choose the server that has the SSL certificate already installed.

Highlight the certificate to be exported, then click the “” (more) icon and choose Export Exchange Certificate.

Begin the export of an Exchange certificate

Enter a valid UNC path and the name of the file you wish to export to, and a password for the exported certificate.

Choose a path to store the exported certificate file

Complete the export Exchange certificate wizard.

Open the “more” icon again and this time choose Import Exchange Certificate (it does not matter at this stage which server you have selected in the drop-down list above the icons).

Begin the import of an SSL certificate to Exchange

Enter the UNC path to the file again, and the same password you used during the export.

Enter the UNC path and certificate password

Click the “+” icon and add any Exchange 2013 servers that you wish to import the certificate to.

Select the Exchange servers to import the SSL certificate to

Click Finish to complete the import wizard.

After you have imported the certificate to a server you can then proceed with assigning the SSL certificate to Exchange services.


  1. Lam Le says

    Hi Paul,

    Do you know how to create a request for a cert that can be exported and import to TMG server? I think the private key needs to be set to “exportable”, but I don’t see anything from the UI to allow user to select that option.


  2. Erik Townsend says

    1) Can you use the same domain name for OWA, OAB, EWS, Exchange ActiveSync, Autodiscover and Outlook Anywhere, on both “when accessed from the intranet” and “when accessed from the internet”? example of domain:
    2) If you have 2 CAS and 2 Mailbox servers, Do you need a certificate for each server, or just the two CAS’s?
    3) I read the the OAB is run on the Mailbox servers. does this mean you can not set this up on the CAS? If it can not run on the CAS, then with my topology, it would have to run on the Mailbox Server and that would mean I would need a certificate for all four servers?

  3. Cecil Cheng says

    You mentioned in your article on Exchange 2013 SSL certificates, that best practice is not to include the server names in the SAN certificate. How come you have included both exchange servers and the domain it in this article? Are there instances that this route (including the server names and domain) preferred than not? Thank you. Appreciate the presence of your website!

  4. Benjamin says

    Hi Paul, i have a CAS server with all my names/urls setup and all is working well, i want to add 2 more additional CAS servers. Do i export the cert from the first one and then import it to the 2 new servers and then assign the services? I also need to make sure that the URL’s are the same as the first CAS as i will be removing it.

    Please help.

  5. Fahad says


    When I import pfx file using exchange ecp the certificate is imported but the friendly name field is empty and it does not let me edit it. Any idea how can I give a friendly name to certificate.

  6. Omri Nahman says

    Hi Paul,

    When I’m trying to export the cert to a folder I created on one of my server I’m getting “The exported data cannot be written to the file. Access denied”.
    I have full permission for this folder as well as exchange trusted subsystem.

    Thanks for your time.

  7. locdp says

    i have 2 server CAS connect to internet by proxy server. So i use “netsh winhttp set proxy” to active Cert to “Valid”. When i set account mail by Pop3S/IMapS. I have issue: “Send test email message your server does not support the connection encryption type you have special…”

    So, What was wrong with me ? How i fix it ?

    p/s: Sorry for my bad English.

    Thanks you.

  8. barkmad says

    With multiple Exchange servers do you have to share the private key? Sharing the private key often compromises it if sufficient controls are not in place, I would prefer one certificate per server, is this recommended and are there any rules to follow if this is possible, please?

    • says

      The cert must be exported with the private key so it can be imported and enabled on the other servers.

      The recommended practice is to use the same certificate on all CAS that will be handling traffic for the same namespaces. If you use separate certificates clients will need to re-auth every time they switch CAS (eg for load balancing or because the CAS they were connecting to fails).

Leave a Reply

Your email address will not be published. Required fields are marked *