SSL certificates on legacy infrastructure like Exchange Server 2010 often become a problem at the worst possible moment — when users start seeing “Not Secure” warnings in Outlook Web App (OWA) or mail flow begins to fail due to an expired certificate.
Replacing an SSL certificate in Exchange 2010 is not just a matter of importing a new file. The certificate must contain a private key, be installed in the correct store, and be properly assigned to IIS and SMTP services. Performing the steps in the wrong order can temporarily break OWA or disrupt mail flow.
This guide walks through the correct, production-safe procedure for replacing an SSL certificate in Exchange Server 2010, including common errors such as PrivateKeyMissing, incorrect thumbprints, and improper certificate store placement.
Prerequisites
Before proceeding, make sure you have:
- A valid SSL certificate in .pfx format
- The password for the PFX file
- Administrative access to the Exchange server
- Access to Exchange Management Shell
Important: The certificate must contain a private key. A .cer file alone is not sufficient.
Step 1 — Check Currently Assigned Certificate (IIS & SMTP)
Before importing a new certificate, verify which certificates are currently installed and confirm whether the existing one is expired or still assigned to Exchange services.
Open the Certificates MMC snap-in:
- Press Win + R
- Type mmc.exe and press OK:
- Go to:
- File → Add/Remove Snap-in
- Select Certificates
- Choose Computer account
- Select Local computer
- Click OK
- Navigate to:
Certificates (Local Computer) → Personal → Certificates
At this stage, verify:
- The existing certificate expiration date
- Whether the certificate contains a private key (key icon must be present)
- The Subject / SAN matches your OWA hostname
Locate the Certificate Thumbprint in MMC and Compare It with the Certificate Assigned in Exchange
Follow these steps:
- Locate the certificate you want to inspect.
- Double-click the certificate to open its properties.
- Go to the Details tab.
- Scroll down in the field list and select Thumbprint.
After identifying the certificate in the MMC snap-in, the next step is to confirm which certificate is currently assigned to Exchange services.
Exchange does not rely on the certificate’s Friendly Name — it identifies certificates by their thumbprint. For this reason, always verify the thumbprint before making any changes.
- Open Exchange Management Shell
- Launch Exchange Management Shell with administrative privileges.
- Launch Exchange Management Shell with administrative privileges.
- List Installed Exchange Certificates
[PS] C:\Windows\system32>Get-ExchangeCertificate | Format-List FriendlyName,Thumbprint,Services,NotAfter FriendlyName : Contoso Exchange Test Certificate Thumbprint : 8765A851C7A787CDE965DEE3669DEBFBAC8BC317 Services : IIS, SMTP NotAfter : 23.02.2025 9:07:40 FriendlyName : Thumbprint : 6754F19C4ASD2863AC56751C7B6AE86AE78A4480 Services : POP NotAfter : 02.07.2026 10:18:23 FriendlyName : Thumbprint : 0288354FG5R129E8A6E64F67F1128EC036A7CW34 Services : POP NotAfter : 02.07.2026 10:18:23 FriendlyName : WMSVC Thumbprint : 6B82B6B8F1B5BC55A2EA176B14A31B2B88A197BB Services : IMAP, SMTP NotAfter : 26.07.2029 11:57:59
- This command displays:
- FriendlyName – the display name of the certificate
- Thumbprint – the unique certificate identifier
- Services – which services are currently using the certificate (IIS, SMTP, etc.)
- NotAfter – expiration date
After comparing the thumbprints in MMC and Exchange Management Shell, we confirmed that the certificate with the thumbprint 8765A851C7A787CDE965DEE3669DEBFBAC8BC317 is currently assigned to Exchange services.
From the Get-ExchangeCertificate output, we can see:
- The Services field includes:
IIS, SMTP - The NotAfter value indicates that the certificate can be expired
The next step is to assign the new certificate to the required Exchange services before removing the old one.
Never remove an active certificate before successfully assigning the replacement certificate to all required services.
Step 2 – Import the New PFX Certificate
Copy the Certificate to the Server
Copy the new .pfx file to the Exchange server.
Ensure that:
- You are logged in with administrative privileges
- You know the password used to protect the PFX file
Launch the Certificate Import Wizard
- Locate the
.pfxfile on the server. - Double-click the file to start the Certificate Import Wizard.
- When prompted, select: Local Machine Do NOT select Current User.
Click Next.
Enter the Certificate Password
- Provide the password for the PFX file.
- (Optional but recommended) Enable:
- Mark this key as exportable
Click Next.
Select the Certificate Store
Choose:
Place all certificates in the following store
Click Browse, then select:
Personal
Complete the wizard.
If successful, you will see:
The import was successful.
Verify that:
- The new certificate appears in the list in mmc.exe Certificates Snap-in
- The expiration date is correct
- A private key icon is visible (indicating the private key is present)
At this point, the certificate is successfully installed in the Windows certificate store and ready to be assigned to Exchange services.
You can now copy the thumbprint of the newly imported certificate for use in the Exchange assignment command.
Step 3 – Enable the Certificate for IIS and SMTP
At this stage, the certificate is installed on the server but not yet used by Exchange.
- Open Exchange Management Shell
- Log in to the Exchange server and open Exchange Management Shell with administrative privileges.
Assign the Certificate to IIS and SMTP
Run the following command:
[PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint 12ac603019cc49d3d4c5f4752c691dbcc41baa4e -Services IIS,SMTP Overwrite the existing default SMTP certificate? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y [PS] C:\>
Verify the Assignment
After the command completes run, сonfirm that the new certificate now shows:
[PS] C:\Windows\system32>Get-ExchangeCertificate | Format-List FriendlyName,Thumbprint,Services,NotAfter FriendlyName : New Contoso Exchange Test Certificate Thumbprint : 12AC603019CC49D3D4C5F4752C691DBCC41BAA4E Services : IIS, SMTP NotAfter : 23.02.2027 11:15:14 FriendlyName : Old Contoso Exchange Test Certificate Thumbprint : 8765A851C7A787CDE965DEE3669DEBFBAC8BC317 Services : IIS, SMTP NotAfter : 23.02.2025 9:07:40 FriendlyName : Thumbprint : 6754F19C4ASD2863AC56751C7B6AE86AE78A4480 Services : POP NotAfter : 02.07.2026 10:18:23 FriendlyName : Thumbprint : 0288354FG5R129E8A6E64F67F1128EC036A7CW34 Services : POP NotAfter : 02.07.2026 10:18:23 FriendlyName : WMSVC Thumbprint : 6B82B6B8F1B5BC55A2EA176B14A31B2B88A197BB Services : IMAP, SMTP NotAfter : 26.07.2029 11:57:59
At this point, Exchange is actively using the new certificate.
Step 4 – Restart IIS
After assigning the new certificate to IIS, it is recommended to restart IIS to ensure that all HTTPS services begin using the updated certificate.
This step ensures that:
- OWA loads the new certificate
- ECP uses the new certificate
- ActiveSync and Outlook Anywhere bind to the updated SSL certificate
Open Command Prompt or Exchange Management Shell as Administrator and run:
[PS] C:\Windows\system32>iisreset Attempting stop... Internet services successfully stopped Attempting start... Internet services successfully restarted
After this, IIS is fully restarted and the new certificate is actively in use.
Verify in Browser
Open OWA in a browser and inspect the certificate:
- Click the padlock icon
- View certificate details
- Confirm the expiration date matches the new certificate
At this point, the new SSL certificate is fully operational.
Step 5 – Remove the Old Certificate
After confirming that the new certificate is successfully assigned to IIS and SMTP and HTTPS services are functioning correctly, the old expired certificate can be safely removed.
Important: Ensure that the old certificate is no longer assigned to any Exchange services before removing it.
Locate the old certificate (the expired one) and confirm that:
- The Services field is empty
- The expiration date (NotAfter) indicates it is expired
Only proceed if no services are assigned.
[PS] C:\Windows\system32>Get-ExchangeCertificate | Format-List FriendlyName,Thumbprint,Services,NotAfter FriendlyName : Old Contoso Exchange Test Certificate Thumbprint : 8765A851C7A787CDE965DEE3669DEBFBAC8BC317 Services : NotAfter : 23.02.2025 9:07:40
Run the following command:
[PS] C:\Windows\system32>Remove-ExchangeCertificate -Thumbprint 8765a851c7a787cde965dee3669debfbac8bc317
Expected Result
If the removal is successful, the command will complete without errors and return to the PowerShell prompt.
You can verify the removal by running the Get-ExchangeCertificate command again.
Final Verification
As a final check:
- Access OWA in a browser
- Confirm the new certificate is presented
- Optionally verify SMTP TLS using external tools
At this point, the certificate replacement process is fully completed.
Infrastructure Engineer with hands-on experience in Windows Server, Active Directory, SCCM, Exchange, and Linux environments. Concentrated on resolving production issues and keeping systems stable and reliable.