Export a certificate from an Exchange server
You can export a certificate from an Exchange server as a backup or to import the certificate on other clients, devices or servers. You can export certificates in the Exchange admin center (EAC) or in the Exchange Management Shell. The resulting certificate file is a password-protected binary PKCS #12 file that contains the certificate's private key, and is suitable for importing (installing) on other servers.
Note
The certificate management tasks are removed from EAC for Exchange Server 2016 CU23 and Exchange Server 2019 CU12. Use Exchange Management Shell procedure to export/import the certificate from these versions.
What do you need to know before you begin?
Estimated time to complete: 5 minutes.
In the EAC, you need to export the certificate file to a UNC path (
\\<Server>\<Share>\
or\\<LocalServerName>\c$\
). In the Exchange Management Shell, you can specify a local path.To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Client Access services security" entry in the Clients and mobile devices permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Tip
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.
Use the EAC to export a certificate
Open the EAC and navigate to Servers > Certificates.
In the Select server list, select the Exchange server that contains the certificate, click More options , and select Export Exchange certificate.
On the Export Exchange certificate page that opens, enter the following information:
File to export to: Enter the UNC path and file name of the certificate file. For example,
\\FileServer01\Data\Fabrikam.pfx
Password: When you export the certificate with its private key, you need to specify a password. Exporting the certificate with its private key allows you to import the certificate on other servers.
When you're finished, click OK.
Use the Exchange Management Shell to export a certificate
To export a binary certificate file that you can import on other clients or servers, use the following syntax:
$cert = Export-ExchangeCertificate -Thumbprint <Thumbprint> -BinaryEncoded -Password (Read-Host "Enter password" -AsSecureString) [-Server <ServerIdentity>]
[System.IO.File]::WriteAllBytes('<FilePathOrUNCPath>\<FileName>.pfx', $cert.FileData)
This example exports a certificate from the local Exchange server to a file with the following settings:
- The certificate that has the thumbprint value
5113ae0233a72fccb75b1d0198628675333d010e
is exported to the fileC:\Data\Fabrikam.pfx
on the same server where you're running the command. - The exported certificate file is encoded by DER (not Base64).
- You're prompted to enter the password.
$cert = Export-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -BinaryEncoded -Password (Read-Host "Enter password" -AsSecureString)
[System.IO.File]::WriteAllBytes('C:\Data\Fabrikam.pfx', $cert.FileData)
To export a pending certificate request (also known as a certificate signing request or CSR), use the following syntax:
$txtcert = Export-ExchangeCertificate -Thumbprint <Thumbprint> [-Server <ServerName>]
[System.IO.File]::WriteAllBytes('<FilePathOrUNCPath>\<FileName>.req', [System.Text.Encoding]::Unicode.GetBytes($txtcert))
This example exports a pending certificate request from the local Exchange server to a file with the following settings:
- The certificate that has the thumbprint value
72570529B260E556349F3403F5CF5819D19B3B58
is exported to the file\\FileServer01\Data\Fabrikam.req
. - The exported certificate file is Base64 encoded.
$txtcert = Export-ExchangeCertificate -Thumbprint 72570529B260E556349F3403F5CF5819D19B3B58
[System.IO.File]::WriteAllBytes('\\FileServer01\Data\Fabrikam.req', [System.Text.Encoding]::Unicode.GetBytes($txtcert))
For detailed syntax and parameter information, see Export-ExchangeCertificate.
Notes:
- You can export a pending certificate request if you need to resubmit the certificate request to the certification authority and you can't find the original certificate request file.
- When you export a certificate request, you typically don't need to use the Password parameter or the BinaryEncoded switch, and you save the request to a .req file.
- You can't import an exported pending certificate request on another server.
How do you know this worked?
To verify that you have successfully exported a certificate from an Exchange server, try importing the certificate file on another server. For more information, see Import or install a certificate on an Exchange server.