MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Export a certificate from Exchange 2007/2010 and Import in Exchange 2013

Some time back someone asked me how to Export a certificate from Exchange 2007/2010 and Import in Exchange 2013. So here you go…

Export the CERT

To export the certificate from Exchange 2007 follow the below steps

  1. Login to the exchange 2007 server
  2. Go to run and type mmc
  3. In MMC click file and select add/remove snap-in
  4. Select Certificates then Computer account
  5. Select Local Computer
  6. Click ok then ok.
  7. Now you will see certificate mmc
  8. Select Personal then certificates and select your cert
  9. Right click the certificate  to export then select all tasks and Export
  10. Click next on the welcome screen
  11. Select “Yes, export the private key” then click next
  12. On the format page, make sure PFX is selected
  13. On the password screen type a password and confirm it then click next
  14. Give a locate to export the certificate then click next
  15. On the summary page click finish and certificate will be exported.

To export the certificate from Exchange 2010 follow the below steps


1. Open EMC
2. Go to Server Configuration


3. Select the server which has working certificate
4. In the right lower pane you will see the certificate.
5. Right click the certificate and select “Export Exchange Certificate”.


6. Browse a location, select pfx format and give password to the export file and click Export.


You will see this screen when export will finish


Copy the CERT

Now copy the certificate to Exchange 2013


Import the CERT

To Import a certificate in Exchange 2013 follow the below steps
1. Open EAC
2. Go to Server –> Certificates

 

3. Select your Exchange 2013 server



4. Click on … and select “Import Exchange certificate”

5. Give the location and password of the certificate. Then click next.

6. Select the server. Click on + sign then select the server and click add then click ok, then click Finish.


7. Now, the most important step is to see if your certificate is valid, see the screen below:


8. One certificate is install you can assign the services except SMTP because SMTP will use self sign certificate.

Select the cert, click on pen shape icon, click on services and select IIS then click on save.


9. You would need to reset IIS to make a proper use of this certificate.


This will assign new certificate to IIS. You can login to test the cert.


Prabhat Nigam

Microsoft MVP | Exchange Server

Team @MSExchangeGuru

25 Responses to “Export a certificate from Exchange 2007/2010 and Import in Exchange 2013”

  1. Exchange 2010/2007 to 2013 Migration and Co-existence Guide « MSExchangeGuru.com Says:

    […] For Export and import of the cert Please check here – https://msexchangeguru.com/2013/06/29/import-cert-e2013/ […]

  2. sajid Says:

    hey,
    can we use exchange 2010 3rd part certificate on exchange 2013 or we need new certificate on 2013 and then we have to import it on 2010 like we are doing it for legacy name space?
    Regards
    sajid

  3. Prabhat Nigam Says:

    @Sajid
    You can use old 2010 3rd party cert.

  4. Kurt Says:

    When installing Exchange 2013 CU1/CU2 into an Exchange 2010 SP3 environment, is a “legacy.domain.com” name no longer required? (Exchange 2007 was never in this environment) So after exporting the cert from the 2010 CAS servers and into the 2013 CAS server we just change the domain record for “mail.domain.com” to point to the 2013 CAS? Does the proxying of 2010 mailbox users not need to redirect to a different name?

    Thanks!

  5. Prabhat Nigam Says:

    @kurt
    No legacy url required in 2013 because 2003 is not supported and 2010 will accept redirect
    Yes, just change the pointer of mail.domain.com to 2013
    No need of different URL for redirection

  6. Kurt Says:

    Thanks much! What would happen if we decided to completely change the domain from mail.domain.com to mail.domain2.com? Would the new users, moved users, and legacy users all function properly?

  7. Prabhat Nigam Says:

    @Kurt
    You can change the url but make sure you change it to each every place on both Exchange 2013 and legacy.

  8. LucidFlyer Says:

    @Prabhat,
    Can you please confirm that your reply to Kurt above, stating there’s no NEED to have external (e.g. legacy.company.com) URL for Exchange 2007 in case of coexistence, is correct?
    According to Ross’s article, http://blogs.technet.com/b/exchange/archive/2013/07/09/released-exchange-server-2013-rtm-cumulative-update-2.aspx

    “In environments where Exchange 2013 and Exchange 2007 coexist, Exchange 2013 CAS redirects the request to the Exchange 2007 CAS infrastructure’s ExternalURL. While this redirection is silent, it is not a single sign-on event.”

    The external URL is required.

    Thanks.

  9. Prabhat Nigam Says:

    @LucidFlyer
    I confirm what I said in this blog is correct.
    You need external url but not legacy.domain.com
    Your 2013 url will be good on 2007 as well.

  10. LucidFlyer Says:

    @Prabhat
    As you can probably understand there’s some discrepancy between what you say and Ross’s article.
    Mind to comment on that?

    Thanks.

  11. Prabhat Nigam Says:

    @LudidFlyer
    I think I was helping you. I have suggested you correct. I have never said Ross is wrong.

    If you need help then I will be more than happy to help you else let us work.

  12. LucidFlyer Says:

    @Prabhat
    I appreciate your help, I’m talking specifically in regards to OWA. When user’s mailbox is located on Ex2007 and he tries to access it through Ex2013 OWA portal. Is there a need for the legacy.company.com cert on Ex2007?

  13. LucidFlyer Says:

    Here’s an additional link that also states that legacy.company.com is required
    http://michaelvh.wordpress.com/2012/10/09/exchange-2013-interoperability-with-legacy-exchange-versions/
    Thank you.

  14. Prabhat Nigam Says:

    LucidFlyer:

    I think you have your answer. We need a 2nd url for exchange 2007 but not for 2010.
    It is not necessary to have legacy.domain.com and you can use anyother url as well.

  15. Ashwin Says:

    Awesome article here. Thanks for posting this.

  16. striscia70 Says:

    Exchange 2007 EMC do not shows the certificates… this guide is valid only for Exch 2010

  17. Prabhat Nigam Says:

    @Striscia
    Thank you for the pointer. Actually document had only 2010 export steps but import process is same for the exchange 2013 which was the major concern.
    Now I have added the steps for exchange 2007 so that you can export it in your Exchange 2007.

  18. Ash Says:

    Hi,

    Can we export the certificate form an exchange 2007 environment and import it in the exchange 2013 environment. Does any configuration changes need to be made.

  19. Prabhat Nigam Says:

    Yes, you can export from Exchange 2007 and import certificate to Exchange 2013. No changes require but if you co-existence Exchange 2007 and 2013 then you need 2 urls for OWA and EWS.

  20. Danny Belanger Says:

    Good Job!

  21. Sam Says:

    Hi.

    I currently have 2013 and 2007 running together – but haven’t swapped over the names yet (legacy.domainname.com / outlookanywhere.domainname.com).

    Nor any user is moved to 2013 yet. Our OWA and mobile devices use “email.domain.com” SSL certificate. Our Autodiscover is registered with the ISP.

    My question is

    If we simply move the public certificate “email.domain.com” from 2007 to 2013. Do we still need any public certificate ex legacy.domain.com for 2007 for the time users being migrated from 2007?

    If yes, does a simple SSL or a SAN certificate would be required?

    Thanks

  22. Prabhat Nigam Says:

    Yes, you need a cert for legacy.domain.com. It can be simple SSL SAN cert but purchase it from a good provider like digicert.

  23. Exchange 2013: Hybrid Part 4 « MSExchangeGuru.com Says:

    […] If you have separate CAS and MBX roles then you might like to import the cert to mailbox server for the SMTP. For that you need to export the cert from the Exchange 2013 where you had complete the cert request. Check the step of exporting and importing of the cert are mention here. https://msexchangeguru.com/2013/06/29/import-cert-e2013/ […]

  24. Sameer Says:

    Hi,

    The old 2010 Exchange certificate doesn’t contain the new 2016 servers in the subject alternative names of SSL certificate.
    Updating the autodiscover URis of new servers according to the certificate doesn’t fix the problem as well. Please advise.

    Many thanks in advance,

    Sameer

  25. Prabhat Nigam Says:

    Use the same url for 2010 and 2016. Autodiscover.domain.com should be the autodiscoverserviceinternaluri.

Leave a Reply

Categories

Archives

MSExchangeGuru.com