Export a certificate from an Exchange server
You can export a certificate from an Exchange server as a backup or to import the certificate on other clients, devices or servers. You can export certificates in the Exchange admin center (EAC) or in the Exchange Management Shell. The resulting certificate file is a password-protected binary PKCS #12 file that contains the certificate's private key, and is suitable for importing (installing) on other servers.
What do you need to know before you begin?
Estimated time to complete: 5 minutes.
In the EAC, you need to export the certificate file to a UNC path (
\\<LocalServerName>\c$\). In the Exchange Management Shell, you can specify a local path.
To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Client Access services security" entry in the Clients and mobile devices permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Use the EAC to export a certificate
Open the EAC and navigate to Servers > Certificates.
In the Select server list, select the Exchange server that contains the certificate, click More options , and select Export Exchange certificate.
On the Export Exchange certificate page that opens, enter the following information:
File to export to: Enter the UNC path and file name of the certificate file. For example,
Password: When you export the certificate with its private key, you need to specify a password. Exporting the certificate with its private key allows you to import the certificate on other servers.
When you're finished, click OK.
Use the Exchange Management Shell to export a certificate
To export a binary certificate file that you can import on other clients or servers, use the following syntax:
Export-ExchangeCertificate -Thumbprint <Thumbprint> -FileName "<FilePathOrUNCPath>\<FileName>.pfx" -BinaryEncoded -Password (ConvertTo-SecureString -String '<Password> ' -AsPlainText -Force) [-Server <ServerIdentity>]
This example exports a certificate from the local Exchange server to a file with the following settings:
The certificate that has the thumbprint value
5113ae0233a72fccb75b1d0198628675333d010eis exported to the file
The exported certificate file is encoded by DER (not Base64).
The password for the certificate file is
Export-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -FileName "C:\Data\Fabrikam.pfx" -BinaryEncoded -Password (ConvertTo-SecureString -String 'P@ssw0rd1' -AsPlainText -Force)
The FileName parameter accepts a local path or a UNC path.
You can use a similar procedure to export a pending certificate request (also known as a certificate signing request or CSR). For example, if you need to resubmit the certificate request to the certification authority, and you can't find the original certificate request file. When you export a certificate request, you typically don't need to use the Password parameter or the BinaryEncoded switch, and you save the request to a .req file. Note that you can't import an exported certificate request on another server.
For more information, see Export-ExchangeCertificate.
How do you know this worked?
To verify that you have successfully exported a certificate from an Exchange server, try importing the certificate file on another server. For more information, see Import or install a certificate on an Exchange server.