Applies to: Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Use the Enable-ExchangeCertificate cmdlet to enable an existing certificate that is in the local certificate store for different services.


There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Before you continue, read Creating a Certificate or Certificate Request for TLS.


Enable-ExchangeCertificate -Thumbprint <String> -Services <None | IMAP | POP | UM | IIS | SMTP> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-Force <SwitchParameter>] [-WhatIf [<SwitchParameter>]]

Detailed Description

The Enable-ExchangeCertificate cmdlet enables certificates when it updates the metadata that is stored with the certificate. To enable an existing certificate to work with different services, run the Enable-ExchangeCertificate command and specify the services that you want to enable. You can rerun this cmdlet if you want to add new services that use the certificate.

Remember that different services have different metadata requirements on a given certificate. In addition, the Enable-ExchangeCertificate cmdlet is only additive. That means that you can't disable or remove specific services from the certificate by using the Enable-ExchangeCertificate command.

For example, some services may only require a server name in the certificate, whereas other services may require a fully qualified domain name (FQDN). Make sure that the certificate name can support the uses required by the services you enable it for.

When you enable a certificate for the Simple Mail Transfer Protocol (SMTP) service and the certificate contains a FQDN that matches the FQDN of the local computer, the certificate may be published to the Active Directory directory service.

To run the Enable-ExchangeCertificate cmdlet, the account you use must be delegated the following:

  • Exchange Server Administrator role and local Administrators group for the target server

To run the Enable-ExchangeCertificate cmdlet on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.


Parameter Required Type Description




Use this parameter to specify the services that will use the resulting certificate. Valid entries include a combination of the following:

  • IMAP

  • POP

  • UM

  • IIS

  • SMTP

  • None

To enable a certificate for multiple services, enclose the values in quotation marks and separate them by commas as in the following example:

-Services "IMAP, POP, IIS"




Use this parameter to specify the thumbprint of the certificate that you are enabling. Each certificate contains a thumbprint, which is the digest of the certificate data.




The Confirm parameter causes the command to pause processing and requires you to acknowledge what the command will do before processing continues. You don't have to specify a value with the Confirm parameter.




To specify the fully qualified domain name (FQDN) of the domain controller that retrieves data from the Active Directory, include the DomainController parameter in the command. The DomainController parameter is not supported on computers that run the Edge Transport server role. The Edge Transport server role writes only to the local Active Directory Application Mode (ADAM) instance.




The WhatIf parameter instructs the command to simulate the actions that it would take on the object. By using the WhatIf parameter, you can view what changes would occur without having to apply any of those changes. You don't have to specify a value with the WhatIf parameter.




Include the Force parameter to force the command to execute without asking for user confirmation.

Input Types

Return Types


Error Description



Exceptions Description



The following example shows how to enable a certificate for POP and IMAP services.

Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services "POP, IMAP"