Export a certificate from Exchange 2007/2010 and Import in Exchange 2013
Some time back someone asked me how to Export a certificate from Exchange 2007/2010 and Import in Exchange 2013. So here you go…
Export the CERT
To export the certificate from Exchange 2007 follow the below steps
- Login to the exchange 2007 server
- Go to run and type mmc
- In MMC click file and select add/remove snap-in
- Select Certificates then Computer account
- Select Local Computer
- Click ok then ok.
- Now you will see certificate mmc
- Select Personal then certificates and select your cert
- Right click the certificate to export then select all tasks and Export
- Click next on the welcome screen
- Select “Yes, export the private key” then click next
- On the format page, make sure PFX is selected
- On the password screen type a password and confirm it then click next
- Give a locate to export the certificate then click next
- On the summary page click finish and certificate will be exported.
To export the certificate from Exchange 2010 follow the below steps
1. Open EMC
2. Go to Server Configuration
3. Select the server which has working certificate
4. In the right lower pane you will see the certificate.
5. Right click the certificate and select “Export Exchange Certificate”.
6. Browse a location, select pfx format and give password to the export file and click Export.
You will see this screen when export will finish
Copy the CERT
Now copy the certificate to Exchange 2013
Import the CERT
To Import a certificate in Exchange 2013 follow the below steps
1. Open EAC
2. Go to Server –> Certificates
3. Select your Exchange 2013 server
4. Click on … and select “Import Exchange certificate”
5. Give the location and password of the certificate. Then click next.
6. Select the server. Click on + sign then select the server and click add then click ok, then click Finish.
7. Now, the most important step is to see if your certificate is valid, see the screen below:
8. One certificate is install you can assign the services except SMTP because SMTP will use self sign certificate.
Select the cert, click on pen shape icon, click on services and select IIS then click on save.
9. You would need to reset IIS to make a proper use of this certificate.
This will assign new certificate to IIS. You can login to test the cert.
Prabhat Nigam
Microsoft MVP | Exchange Server
Team @MSExchangeGuru
June 29th, 2013 at 8:35 pm
[…] For Export and import of the cert Please check here – https://msexchangeguru.com/2013/06/29/import-cert-e2013/ […]
July 18th, 2013 at 9:10 pm
hey,
can we use exchange 2010 3rd part certificate on exchange 2013 or we need new certificate on 2013 and then we have to import it on 2010 like we are doing it for legacy name space?
Regards
sajid
July 27th, 2013 at 10:54 am
@Sajid
You can use old 2010 3rd party cert.
August 18th, 2013 at 2:15 pm
When installing Exchange 2013 CU1/CU2 into an Exchange 2010 SP3 environment, is a “legacy.domain.com” name no longer required? (Exchange 2007 was never in this environment) So after exporting the cert from the 2010 CAS servers and into the 2013 CAS server we just change the domain record for “mail.domain.com” to point to the 2013 CAS? Does the proxying of 2010 mailbox users not need to redirect to a different name?
Thanks!
August 18th, 2013 at 4:53 pm
@kurt
No legacy url required in 2013 because 2003 is not supported and 2010 will accept redirect
Yes, just change the pointer of mail.domain.com to 2013
No need of different URL for redirection
August 23rd, 2013 at 10:52 pm
Thanks much! What would happen if we decided to completely change the domain from mail.domain.com to mail.domain2.com? Would the new users, moved users, and legacy users all function properly?
August 24th, 2013 at 10:00 am
@Kurt
You can change the url but make sure you change it to each every place on both Exchange 2013 and legacy.
September 10th, 2013 at 1:13 pm
@Prabhat,
Can you please confirm that your reply to Kurt above, stating there’s no NEED to have external (e.g. legacy.company.com) URL for Exchange 2007 in case of coexistence, is correct?
According to Ross’s article, http://blogs.technet.com/b/exchange/archive/2013/07/09/released-exchange-server-2013-rtm-cumulative-update-2.aspx
“In environments where Exchange 2013 and Exchange 2007 coexist, Exchange 2013 CAS redirects the request to the Exchange 2007 CAS infrastructure’s ExternalURL. While this redirection is silent, it is not a single sign-on event.”
The external URL is required.
Thanks.
September 10th, 2013 at 1:33 pm
@LucidFlyer
I confirm what I said in this blog is correct.
You need external url but not legacy.domain.com
Your 2013 url will be good on 2007 as well.
September 10th, 2013 at 4:27 pm
@Prabhat
As you can probably understand there’s some discrepancy between what you say and Ross’s article.
Mind to comment on that?
Thanks.
September 10th, 2013 at 5:32 pm
@LudidFlyer
I think I was helping you. I have suggested you correct. I have never said Ross is wrong.
If you need help then I will be more than happy to help you else let us work.
September 12th, 2013 at 3:01 pm
@Prabhat
I appreciate your help, I’m talking specifically in regards to OWA. When user’s mailbox is located on Ex2007 and he tries to access it through Ex2013 OWA portal. Is there a need for the legacy.company.com cert on Ex2007?
September 16th, 2013 at 6:01 pm
Here’s an additional link that also states that legacy.company.com is required
http://michaelvh.wordpress.com/2012/10/09/exchange-2013-interoperability-with-legacy-exchange-versions/
Thank you.
September 16th, 2013 at 6:19 pm
LucidFlyer:
I think you have your answer. We need a 2nd url for exchange 2007 but not for 2010.
It is not necessary to have legacy.domain.com and you can use anyother url as well.
September 30th, 2013 at 4:18 pm
Awesome article here. Thanks for posting this.
November 8th, 2013 at 12:01 pm
Exchange 2007 EMC do not shows the certificates… this guide is valid only for Exch 2010
November 16th, 2013 at 12:27 am
@Striscia
Thank you for the pointer. Actually document had only 2010 export steps but import process is same for the exchange 2013 which was the major concern.
Now I have added the steps for exchange 2007 so that you can export it in your Exchange 2007.
October 7th, 2014 at 12:14 pm
Hi,
Can we export the certificate form an exchange 2007 environment and import it in the exchange 2013 environment. Does any configuration changes need to be made.
October 9th, 2014 at 7:02 pm
Yes, you can export from Exchange 2007 and import certificate to Exchange 2013. No changes require but if you co-existence Exchange 2007 and 2013 then you need 2 urls for OWA and EWS.
January 8th, 2015 at 4:22 pm
Good Job!
February 5th, 2015 at 3:49 pm
Hi.
I currently have 2013 and 2007 running together – but haven’t swapped over the names yet (legacy.domainname.com / outlookanywhere.domainname.com).
Nor any user is moved to 2013 yet. Our OWA and mobile devices use “email.domain.com” SSL certificate. Our Autodiscover is registered with the ISP.
My question is
If we simply move the public certificate “email.domain.com” from 2007 to 2013. Do we still need any public certificate ex legacy.domain.com for 2007 for the time users being migrated from 2007?
If yes, does a simple SSL or a SAN certificate would be required?
Thanks
February 5th, 2015 at 3:58 pm
Yes, you need a cert for legacy.domain.com. It can be simple SSL SAN cert but purchase it from a good provider like digicert.
June 19th, 2015 at 6:30 am
[…] If you have separate CAS and MBX roles then you might like to import the cert to mailbox server for the SMTP. For that you need to export the cert from the Exchange 2013 where you had complete the cert request. Check the step of exporting and importing of the cert are mention here. https://msexchangeguru.com/2013/06/29/import-cert-e2013/ […]
September 1st, 2016 at 5:40 am
Hi,
The old 2010 Exchange certificate doesn’t contain the new 2016 servers in the subject alternative names of SSL certificate.
Updating the autodiscover URis of new servers according to the certificate doesn’t fix the problem as well. Please advise.
Many thanks in advance,
Sameer
September 1st, 2016 at 1:40 pm
Use the same url for 2010 and 2016. Autodiscover.domain.com should be the autodiscoverserviceinternaluri.