In previous articles, we generated and completed a certificate request. Keep in mind that despite the request being completed it is not yet live. We must still assign services to that certificate.
In this article, we will assign services to a certificate (affiliate) in Exchange 2016. We explore how to accomplish this using the Exchange Admin Center and PowerShell.
Let’s get started!
Note: These steps are identical for Exchange 2013, 2016, and 2019.
Assign Services to a Certificate with Exchange Admin Center
Log in to the Exchange Admin Center (EAC). Select the Servers tab and Certificates sub-tab.
Select your certificate and click the Edit (
) button.
Select the Services tab. Pick your desired services. Click Save. In our example we just picked IIS.
This may take a minute or so to process. Once complete you will see the certificate has been assigned to the services you picked. In our case IIS is now assigned to the certificate.
Assign Services to a Certificate with PowerShell
If you prefer to assign services using PowerShell you would use the Enable-ExchangeCertificate cmdlet. Using our example above our command would look like this:
C:\> Enable-ExchangeCertificate -Thumbprint <ID> -Services IIS
You can obtain the thumbprint by running Get-ExchangeCertificate.
In this command:
- -Thumbprint specifies the certificate to configure via its thumbprint.
- -Services define which components you want to use the certificate with (e.g. IIS, SMTP, etc.).
To verify the services have been assigned, run the Get-ExchangeCertificate command.
C:\Users\supertekboy\Desktop>Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- 559642FCD3DD4769D79A457D11875AF9E6E49F3C ...WS.. CN=webmail.exchangeservergeek.com, OU=Exchange Server Geek, O=S...
The services column indicates what services are currently assigned to the certificate. In the example above IIS (W) and SMTP (S) have been assigned to this certificate.
Other possibilities include POP (P), IMAP (I) and Unified Messaging (U).
Checking your work
Now that we have our new certificate installed, we need to test to make sure it is working properly.
The easiest way to check is to enter your URL into a web browser. In our case, we enter https://webmail.exchangeservergeek.com/ecp. This should result in no certificate errors.
Let’s test AutoDiscover as well. In our case https://autodiscover.exchangeservergeek.com/autodiscover/autodiscover.xml. You will be prompted for credentials. Once entered you will receive the following response. Despite it being an error it is expected behavior. Autodiscover was expecting Outlook, not Internet Explorer.
Do the test results look good? Awesome! Your certificate is correctly installed.
More than one server?
If you have multiple Exchange servers it is important that we copy this certificate to each Exchange Server. To do this check our article on importing and exporting Exchange certificates.
Further Reading
Here are some articles I thought you might like.
- Generate a Certificate Request in Exchange 2016
- Complete a Certificate Request in Exchange 2016
- Import & Export a Certificate in Exchange 2016
- Install Exchange 2016 in your lab (7-part series)
- Create an IP-less DAG (No Administrative Access Point)
- What Ignite taught us about Exchange 2016
I always like the detail of your articles. You have bits of information others don’t. Thanks.