Tool for Exporting Exchange 2010 Certificates to PFX files…

I am probably the only person in the world whom finds the process of exporting Exchange Certificates to a file within Exchange 2010 a little bit fiddly – in fact – whilst I think about it, I found it fiddly in Exchange 2007.

Now that does not mean that I don’t know how to export Certificates from either version of Exchange (honest!!!) – just that I have never found it to be very intuitive, or in parts – consistent.

As many of you will be aware in Exchange 2010 you can export an existing Exchange enabled certificate from either the Exchange Management Console or the Exchange Management Shell.

You can also export these certificates from the IIS Server Manager – however it is important to note that this is not the preferred method, and Microsoft recommends that you use the Exchange supplied tools for managing any certificate which is used in connection with Exchange Server 2010 (this was also to the recommendation for Exchange 2007).

To give you some background – exporting from within the Exchange 2010 Management Console is accomplished via navigating to the [ Server Configuration ] node – see below;


Selecting an Exchange Server which contains the SSL certificate that you are interested in, and then on the “Exchange Certificates” tab (located in the bottom middle of the window) a list of the available certificates will be displayed – see below;


Once you have selected your Certificate the “Actions” area (to the right hand side of the screen) will change – towards the bottom you will see an option to “Export Exchange Certificate” – see below


You are then presented with a two step wizard that will ask you for a path for the export PFX file, and the private key that you wish to assigned to the PFX file (this is used later on when you need to import the file) – see below


Clicking on the “Export” button completes the process and outputs the PFX file to your desired location with the Private key assigned – see below


Of course the Exchange Management Shell provides another means to export Exchange based certificates to PFX files – an example which uses the “Subject Name” of the Cert is provided below – there are other ways that this can be achieved, for example here.

$sub='CN=owa.prepAD.local, OU=IT,, L=London, S=Middx, C=GB'
$pwrdNS=ConvertTo-SecureString "password" -asPlainText -Force
$cCert = Get-ExchangeCertificate | where {$_.Subject -eq $sub}
$file = Export-ExchangeCertificate -Thumbprint $cCert.Thumbprint -BinaryEncoded:$true -Password $pwrdNS
Set-Content -Path "X:\Test.pfx" -Value $file.FileData -Encoding Byte

Now, as I said in the introduction to this article that I have personally found the above processes to be a bit fiddly in practice and being the type of person whom backs everything up – I wanted a tool that could be fired up quickly and used to export Certs to a given location as a backup. In the absence of such a tool – I decided to write one – therefore I am pleased to present the Exchange 2010 Certificate Export tool.


exchgExpCert007 [ Exchange Certificate Export Tool – 500K ]


In order to get the best from this tool your target system should be running:

  • Windows 2003 SP1 and above x64, Windows 2003 R2 and above x64, Windows 2008 Server SP1 x64, Windows 2008 R2 x64
  • .NET Framework 3.5
  • Exchange 2010 Management Tools

You should install the tool on the Exchange Server where the certificates that you wish to export / backup reside.


Once you have downloaded the above setup file to the server of your choice, double click on the “ExchangeCertSetup.msi” file to launch the program installer. Follow the installation wizard through to competition, an icon for the product will be placed within your start menu and on the desktop.


Launch the program from the start menu [ Start –> Programs –> Exchange 2010 Certificate Export Tool –> Export Exchange 2010 Certificates ] or from the desktop icon – see below


You will be presented with the main screen – from the “Certificate Information” area select the Service of the certificate that you wish to export (bear in mind the software will only detect certificates which are enabled for that service), the “Find” button will then enable – click on “Find” to retrieve the certificate list – see below


The window below the “Find” button with then populate, select the the certificate that you wish to export / backup – you must also provide a Private Key value (password) in the “Private Export Key” box – this is mandatory – if you do not provide a value the program will prompt you – see below


Click on the button to the right of the “Export Path” path field, this will open a save file dialog box – navigate to the path where you wish to save the export file and then provide a filename and click on the “Save” button – see below


The export path field will then populate – click on the “Export” button to begin the process of exporting the certificate. When the program is done, the PFX file will be in the location that you stipulated as well as a log file of the entire process – see below


It’s a simple tool – and I admit that some of you may have no use for it – but, I hope that some folks get some value as I now use it all the time to export and backup my clients Exchange certs. As always – let me know of comments and suggestions.


  1. Hi Chris,

    I did something similar, but see that the related certificates that one can export from Certificates snapin is absent when one uses this method, so the THAWTE root certs are missing in my case.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.