skip to Main Content

Renew Microsoft Exchange certificate

The Microsoft Exchange certificate is installed when you install an Exchange Server, and it’s 5 years active. Most of the time, you don’t look into that certificate because, within 5 years, you will have a new Exchange Server and decommission the old Exchange Server. What if you have to renew the certificate? The Microsoft Exchange self-signed certificate is expiring, and it will not renew automatically. In this article, you will learn how to renew Microsoft Exchange certificate.

How to renew Microsoft Exchange certificate

Let’s look at the steps to renew the self-signed Microsoft Exchange certificate. Run the below commands in Exchange Management Shell.

Are you looking at how to renew the Microsoft Exchange Server Auth Certificate? Read the article Renew Microsoft Exchange Server Auth Certificate.

Important: Do the below steps after working hours, even if you have a DAG configuration. That’s because the certificates can unbind the Default Web Site certificates, and users will get certificate errors. You have to do the steps on all the Exchange Servers.

1. Get Microsoft Exchange certificate

Sign in to Exchange Admin Center on-premises. Navigate to servers > certificates. Select the Exchange Server if you have more than one Exchange Server running in the organization. Double-click the Microsoft Exchange certificate.

In our example, we did select the Exchange Server EX01-2019.

Renew Microsoft Exchange certificate old certificate

We do see that the certificate thumbprint starts with E55A7C.

Renew Microsoft Exchange certificate old certificate thumbprint

Let’s verify the Exchange Server certificate with Exchange Management Shell.

Run Exchange Management Shell as administrator on Exchange on-premises. Run the Get-ExchangeCertificate cmdlet to check the existing Microsoft Exchange certificate status.

Note: Copy the certificate thumbprint because you need it when you renew Microsoft Exchange certificate in the next step.

[PS] C:\>Get-ExchangeCertificate | where {$_.FriendlyName -like "Microsoft Exchange"} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

FriendlyName       : Microsoft Exchange
Subject            : CN=EX01-2019
CertificateDomains : {EX01-2019, EX01-2019.exoip.local}
Thumbprint         : E55A7CE736B5798A1A694F1D0515227E35F97514
NotBefore          : 5/1/2022 7:53:26 PM
NotAfter           : 5/1/2027 7:53:26 PM

In the next step, we will renew the Microsoft Exchange certificate.

2. Create new Microsoft Exchange certificate

Create a new Microsoft Exchange certificate. Run the New-ExchangeCertificate cmdlet and paste the previously copied certificate thumbprint in the command.

Note: You can’t remove the Microsoft Exchange certificate in most cases. You will be able to remove the certificate when you create and publish a new Microsoft Exchange certificate.

[PS] C:\>Get-ExchangeCertificate -Thumbprint "E55A7CE736B5798A1A694F1D0515227E35F97514" | New-ExchangeCertificate -Force -PrivateKeyExportable $true

Thumbprint                                Services   Subject
----------                                --------   -------
BC883E222796EE43F524051519E35DAD12FD2F41  ....S..    CN=EX01-2019

3. Assign IIS services to certificate

Refresh the Exchange admin center page or click the refresh button in the toolbar. You will see the new certificate in the list. Click on the new certificate and edit the certificate.

Renew Microsoft Exchange certificate edit new certificate

Click on services. Check the checkbox IIS. Click Save.

Renew Microsoft Exchange certificate assign IIS service

Verify that the new Microsoft Exchange certificate assigned to services shows IIS, SMTP.

Renew Microsoft Exchange certificate verify assigned services IIS and SMTP

4. Remove old certificate

Select the old certificate in the list and click the delete icon in the toolbar.

Renew Microsoft Exchange certificate remove old certificate

You will have only one Microsoft Exchange certificate in the certificates list.

New Microsoft Exchange certificate in certificates list

5. Check IIS site bindings

Verify that the new Microsoft Exchange self-signed certificate is bound correctly in the Exchange back end. Also, verify that the Default Web Site has the third-party certificate.

Important: Removing, renewing, or assigning services to the certificate can remove the certificate from Exchange Back End and Default Web Site. It’s essential that you check the certificate bindings and apply the correct certificates.

Exchange Back End

Start Internet Information Services (IIS) Manager. Click on Exchange Back End. Select Bindings. Edit the type https with port 444.

Exchange Back End site bindings

Select the Microsoft Exchange certificate. Click OK.

Edit site binding port 444

Default Web site

Click on Default Web Site. Select Bindings. Go through and edit all the types https with port 443.

Renew Microsoft Exchange certificate Default Web Site site bindings

Select the third-party certificate. Click OK.

Edit site binding port 443

7. Restart IIS (Internet Information Services)

Run the IISReset command to restart IIS.

[PS] C:\>iisreset

8. Verify Microsoft Exchange certificate validity

Run the Exchange Server Health Checker script to verify that the Microsoft Exchange certificate status is valid.

Renew Microsoft Exchange certificate validity check

Read more: Renew certificate in Exchange Hybrid »


We showed how to renew the Microsoft Exchange certificate. First, go through the steps to renew the Microsoft Exchange certificate. After that, remove the old Microsoft Exchange certificate. Next, verify that the IIS site bindings on Exchange Back End and Default Website have the correct certificates. Finally, reset IIS. Do the steps on every Exchange Server if you have more than one running in the organization.

Did you enjoy this article? You may also like How to import certificate in Exchange Server. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 3 Comments

  1. My MS Exchange 2016 CU21 certificate expired and successfully created a new one by following this article. Thank you, sir. However, only mobile devices still get SSL errors despite their mailboxes on Exchange Online. (Hybrid environment)

Leave a Reply

Your email address will not be published. Required fields are marked *