How to renew a certificate in Exchange Hybrid? You have a new third-party certificate installed…
Check Let’s Encrypt certificate status
How to check Let’s Encrypt certificate status? Let’s Encrypt is a great way to secure the Exchange Server. Our previous article explained how to install FREE Let’s Encrypt certificate in Exchange Server. Now that we requested a certificate from Let’s Encrypt on the Exchange Server, we would like to verify Let’s Encrypt certificate status and if it’s installed correctly. In this article, you will learn how to check Let’s Encrypt certificate status.
Table of contents
Check Let’s Encrypt certificate status
It’s important to check the certificate after installing or updating the certificate on the Exchange Server. There are many ways to verify the new certificate in Exchange Server. I recommend checking the certificate in a couple of ways. Before we start, let’s see if the Let’s Encrypt scheduled task is configured.
Check Let’s Encrypt scheduled task
Let’s Encrypt issued certificate is only valid for 90 days. If you want to keep a valid certificate, you need to renew it. You can do it by following the install FREE let’s encrypt certificate in Exchange Server. I recommend making use of the scheduled task option in the Win-ACME client.
The scheduled task will check every day to renew the certificate. The Win-ACME client renews the certificate if it’s older than 55 days. Remember to enable the scheduled task option as described in the article Install FREE Let’s Encrypt certificate in Exchange Server.
Start the Task Scheduler and verify that Win-ACME Let’s Encrypt appears in the list of tasks.
Check Let’s Encrypt certificate status in Exchange Admin Center
Sign in to Exchange Admin Center (EAC). Click servers in the feature pane and follow with certificates in the tabs. Click on the Let’s Encrypt certificate in the list view. You can find more information about the certificate in the details pane.
Do you want to get a list of certificates with PowerShell? Read the article Get Exchange certificate with PowerShell.
Check Let’s Encrypt status in the browser
Start a browser, in my example Firefox and type in the OWA URL. We can see that there is no more warning showing on the padlock icon in the toolbar. Clicking the lock icon will show that we are securely connected to this site. Verified by: Let’s Encrypt. If you don’t see it, clear the browser cache.
Start another browser. For example, Internet Explorer. Clicking the padlock icon in the toolbar will show that the connection to the server is encrypted.
DigiCert certificate checker
We will verify the Let’s Encrypt certificate with the DigiCert SSL certificate checker.
Enter the OWA URL of the Exchange Server, in my example mail.exoip.com. When entered, press the button Check Server. Have a look at the Subject Alternative Names, the certificate expiration, and that the certificate is correctly installed.
Microsoft Remote Connectivity Analyzer (MRCA)
Go to the Microsoft Remote Connectivity Analyzer page. Click Exchange Server in the feature pane and click Outlook Connectivity.
Fill in the credentials and click Perform Test.
After testing, the result shows warnings.
When looking into the warnings, it shows the following:
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the “Update Root Certificates” feature isn’t enabled.
It’s a warning that impacts older machines or those that don’t allow root certificate updates. It means that machines that don’t have the latest root certificates might not trust your certificate. You can safely ignore the warning.
I hope it helped you to check Let’s Encrypt certificate in Exchange Server.
Conclusion
You learned how to check Let’s Encrypt certificate status in Exchange Server. Start a browser and go to the Exchange Server OWA URL. Check that the padlock icon is showing a secure connection. Use an external certificate checker to check the Exchange Server OWA URL. As of last, use Microsoft Remote Connectivity Analyzer (MRCA) to check the connection to the Exchange Server. Always verify after you do a configuration on a system. In this case, it was configuring Exchange Server for Let’s Encrypt.
Did you enjoy this article? You may also like Active Directory weak password checker. Don’t forget to follow us and share this article.
God bless you
Really good instructions, very clear and it worked first time for me. That’s rare!
Ali,
I’ve read a lot of how to stuff over the years, but it’s very rare, that someone knows what he does and is at the same time capable of language and takes the trouble to be so detailed that even the casual admin can do something with it. Your article series is good for the internet. Thanks for that.
Stefano