Assigning Exchange 2016 and 2013 Certificate To Multiple Servers At The Same Time

In Exchange 2010, the Exchange Management Console allowed us to import certificates to multiple servers and to then assign the certificate to multiple servers simultaneously.  In the Exchange 2013 and Exchange 2016 EAC, the option to enable the certificate for Exchange services is per server.

As you can seen in the Exchange 2016 example below, we need to select each server one by one from the drop down and edit the certificate assignment on each server.

Exchange 2016 EAC To Manage Certificates

Is there a better way to do this?  PowerShell is generally the answer, no matter what the question..


Assigning Certificate to Services on Multiple Exchange Servers

Using the Exchange Management Shell, we are able to easily automate the assignment of the certificate on multiple servers.  We will use the trusty Enable-ExchangeCertificate cmdlet.  This is our old friend from Exchange 2007 days, where PowerShell was the only option to manage Exchange certificates.  Yup, there was no GUI to manage them until Exchange 2010.

In the example here, the certificate we wish to use is the top one in the list, which has a thumbprint of CC27E84F420B4452617D90638EC3AA6CF127DAA9.  In the below screen note that this certificate has no bindings, this is indicated in the Services column.

Assigning Certificate to Services on Multiple Exchange Servers


The Enable-ExchangeCertificate cmdlet expects a single server to be present in the –Server parameter.  Thus we need to provide a list of servers to enable the certificate on, looping through this list to enable the certificate on each.  That way we can provide the singe server which the cmdlet expects, yet automate the overall process.


First we will build up an array of servers to enable the certificate on.  Note that the certificate was already imported to those servers.  Your certificate thumbprint will also be different. An array of servers is needed as we can not pipe the output from Get-ExchangeServer directly to Enable-ExchangeCertificate.  Well you could tweak PowerShell to do that, but I'm not spending the time as there are more pressing issues!

To copy the highlighted code samples, double click them to select all of the text in the section.  It can then be copied normally.

 $Servers = "Consea-MB2", "Condal-MB2" 

The we loop through the list, enabling the certificate for each server with the below one-liner.

Note that this example will not automatically overwrite the default SMTP certificate and will prompt for actions.  For a discussion on whether to overwrite or not please see this post.

 $Servers | ForEach {Enable-ExchangeCertificate -Thumbprint CC27E84F420B4452617D90638EC3AA6CF127DAA9 -Services "SMTP,IIS" -Server $_ } 


Should you actually want to overwrite the default SMTP certificate then the below option can be used.

 $Servers | ForEach {Enable-ExchangeCertificate -Thumbprint CC27E84F420B4452617D90638EC3AA6CF127DAA9 -Services "SMTP,IIS" -Server $_ -Confirm:$False -Force} 

This enables the certificate for the SMTP and IIS services.  It will also overwrite the default SMTP certificate.  You can chose the correct assignment for your environment.  The Exchange 2016 documentation for Enable-ExchangeCertificate lists all the options.

Verifying Certificate Assigned To Services on Multiple Exchange Servers

To then check the command executed as planned, we will verify the certificate assignment.

In the same vein as above, we loop through the list of provided servers.

 $Servers | ForEach {Write-Host $_; (Get-ExchangeCertificate -Server $_); Write-Host } 

Verifying Certificate Assigned To Services on Multiple Exchange Servers




Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *