In this article, we explore the process of assigning services to a third-party certificate for Exchange 2016 CU23 and greater and Exchange 2019 CU12 and greater. Unlike the previous articles, where this process was only available in PowerShell, assigning services is still available in the Exchange Admin Center. In this article, we will cover both methods of assigning services to a certificate.
Let’s get started!
Note: When you assign services to a certificate, it will impact current connections to Exchange. For example, assigning IIS to a certificate can cause Outlook clients to reconnect. You may wish to perform this action during a maintenance window or after hours.
Assign Services to a Certificate with Exchange Admin Center
Log in to the Exchange Admin Center (EAC). Select the Servers tab and Certificates sub-tab.
Select your certificate and click the Edit () button.
Select the Services tab. Pick your desired services. In our example below, we picked IIS and SMTP. Click Save. If you selected the SMTP checkbox, you will be asked if you want to replace your default SMTP certificate. Select Yes.
This may take a minute or so to process. Once complete, you will see the certificate has been assigned to the services you picked. In our example, IIS and SMTP are now assigned to the certificate.
Assign Services to a Certificate with PowerShell
To assign services using PowerShell, we will need to capture the thumbprint of our new certificate. To do this, we will need to first run the Get-ExchangeCertficate command.
C:\> Get-ExchangeCertificate | Format-Table Subject, Thumbprint Subject Thumbprint ------- ---------- CN=mail.exchangeservergeek.com B26C3C9B30A2A7371767275043816466CB921738 CN=EX19-01 C232F4D642F74B9DC7E4ED33D4AB56E68C10CA76 CN=Microsoft Exchange Serve... 411A27BA64FD140523E4D1CF088589C228CA9C5E CN=WMSvc-SHA2-EX19-01 D894B092E2ABE925E7104A0C9DFF6C448182CA30
From the example above, we can see the thumbprint for mail.exchangeservergeek.com is B26C3C9B30A2A7371767275043816466CB921738. Now that we have our thumbprint, we can use the Enable-ExchangeCertificate command.
C:\> Enable-ExchangeCertificate -Server EX19-01 -Thumbprint B26C3C9B30A2A7371767275043816466CB921738 -Services IIS,SMTP
In this command:
- Server specifies which server you want the action performed against. If you omit this parameter, the action is performed against the server where PowerShell is connected.
- Thumbprint specifies the certificate to configure via its thumbprint
- Services define which components you want to use the certificate with (e.g. IIS, SMTP, POP, IMAP, etc.)
If you specified SMTP as a service to add to the new certificate, you will be prompted on whether to overwrite the existing default SMTP certificate. Enter Y and press Enter.
Overwrite the existing default SMTP certificate? Current certificate: '5FA62F11B524678090B752F48E207DEC3A0DFF46' Replace it with certificate: 'B26C3C9B30A2A7371767275043816466CB921738' [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is Y): Y
To verify the services have been assigned, run the Get-ExchangeCertificate command.
C:\> Get-ExchangeCertificate | Format-Table Subject, Services Subject Services ------- -------- CN=mail.exchangeservergeek.com IIS, SMTP CN=EX19-01 IIS, SMTP CN=Microsoft Exchange Server Auth Certificate SMTP CN=WMSvc-SHA2-EX19-01 None
The services column indicates what services are currently assigned to the certificate. In the example above, IIS and SMTP have been assigned to the mail.exchangeservergeek.com certificate. Other possibilities include POP, IMAP, and Federation. For Exchange 2016, Unified Messaging is an additional option (no longer supported in Exchange 2019).
Checking your work
Now that we have our new certificate installed, we need to test it to make sure it is working properly.
The easiest way to check is to enter your URL into a web browser. In our case, we enter https://mail.exchangeservergeek.com/ecp. This should result in no certificate errors.
Let’s test Autodiscover as well. In our example, our Autodiscover URL is, https://autodiscover.exchangeservergeek.com/autodiscover/autodiscover.xml. You will be prompted for credentials. Once entered, you will receive the following response. Despite it being an error, it is expected behavior. Autodiscover was expecting Outlook, not Microsoft Edge.
Do the test results look good? Awesome! Your certificate is correctly installed.
More than one server?
If you have multiple Exchange servers, it is important that we copy this certificate to each Exchange Server. To do this, check our article on importing and exporting Exchange certificates.
Here are some articles I thought you might like.
- Generate a Certificate Request for Exchange 2016 and Exchange 2019
- Complete a Certificate Request for 2016 and Exchange 2019
- Import & Export SSL Certificates in Exchange 2016 and Exchange 2019
- Renew a Certificate in Exchange 2016 & 2019
- Generate a Certificate Request for Exchange 2013
- Complete a Certificate Request in Exchange 2013
- Assign Services to a Certificate in Exchange 2013
- Import & Export a Certificate in Exchange 2013
- Renew a Certificate in Exchange 2013