Assigning Exchange 2016 and 2013 Certificate To Multiple Servers At The Same Time

In Exchange 2010, the Exchange Management Console allowed us to import certificates to multiple servers and to then assign the certificate to multiple servers simultaneously.  In the Exchange 2013 and Exchange 2016 EAC, the option to enable the certificate for Exchange services is per server. 

As you can seen in the Exchange 2016 example below, we need to select each server one by one from the drop down and edit the certificate assignment on each server.

Exchange 2016 EAC To Manage Certificates

Is there a better way to do this?  PowerShell is generally the answer, no matter what the question..


Assigning Certificate to Services on Multiple Exchange Servers

Using the Exchange Management Shell, we are able to easily automate the assignment of the certificate on multiple servers.  We will use the trusty Enable-ExchangeCertificate cmdlet.  This is our old friend from Exchange 2007 days, where PowerShell was the only option to manage Exchange certificates.  Yup, there was no GUI to manage them until Exchange 2010.

In the example here, the certificate we wish to use is the top one in the list, which has a thumbprint of CC27E84F420B4452617D90638EC3AA6CF127DAA9.  In the below screen note that this certificate has no bindings, this is indicated in the Services column. 

Assigning Certificate to Services on Multiple Exchange Servers


The Enable-ExchangeCertificate cmdlet expects a single server to be present in the –Server parameter.  Thus we need to provide a list of servers to enable the certificate on, looping through this list to enable the certificate on each.  That way we can provide the singe server which the cmdlet expects, yet automate the overall process. 


First we will build up an array of servers to enable the certificate on.  Note that the certificate was already imported to those servers.  Your certificate thumbprint will also be different.

To copy the highlighted code samples, double click them to select all of the text in the section.  It can then be copied normally.

 $Servers = "Consea-MB2", "Condal-MB2" 

The we loop through the list, enabling the certificate for each server with the below one-liner:

 $Servers | ForEach {Enable-ExchangeCertificate -Thumbprint CC27E84F420B4452617D90638EC3AA6CF127DAA9 -Services "SMTP,IIS" -Server $_ -Confirm:$False -Force} 

This enables the certificate for the SMTP and IIS services.  You can chose the correct assignment for your environment.  The Exchange 2016 documentation for Enable-ExchangeCertificate lists all the options. 


Verifying Certificate Assigned To Services on Multiple Exchange Servers

To then check the command executed as planned, we will verify the certificate assignment. 

In the same vein as above, we loop through the list of provided servers.

 $Servers | ForEach {Write-Host $_; (Get-ExchangeCertificate -Server $_); Write-Host } 

Verifying Certificate Assigned To Services on Multiple Exchange Servers




Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *