You already learned how to bulk convert user mailbox to shared mailbox. This time we…
Renew Microsoft Exchange certificate
The Microsoft Exchange certificate is installed when you install an Exchange Server, and it’s 5 years active. Most of the time, you don’t look into that certificate because, within 5 years, you will have a new Exchange Server and decommission the old Exchange Server. What if you have to renew the certificate? The Microsoft Exchange self-signed certificate is expiring, and it will not renew automatically. In this article, you will learn how to renew Microsoft Exchange certificate.
Table of contents
How to renew Microsoft Exchange certificate
Let’s look at the steps to renew the self-signed Microsoft Exchange certificate. Run the below commands in Exchange Management Shell.
Are you looking at how to renew the Microsoft Exchange Server Auth Certificate? Read the article Renew Microsoft Exchange Server Auth Certificate.
Important: Do the below steps after working hours, even if you have a DAG configuration. That’s because the certificates can unbind the Default Web Site certificates, and users will get certificate errors. You have to do the steps on all the Exchange Servers.
1. Get Microsoft Exchange certificate
Sign in to Exchange Admin Center on-premises. Navigate to servers > certificates. Select the Exchange Server if you have more than one Exchange Server running in the organization. Double-click the Microsoft Exchange certificate.
In our example, we did select the Exchange Server EX01-2019.
We do see that the certificate thumbprint starts with E55A7C.
Let’s verify the Exchange Server certificate with Exchange Management Shell.
Run Exchange Management Shell as administrator on Exchange on-premises. Run the Get-ExchangeCertificate cmdlet to check the existing Microsoft Exchange certificate status.
Note: Copy the certificate thumbprint because you need it when you renew Microsoft Exchange certificate in the next step.
[PS] C:\>Get-ExchangeCertificate | where {$_.FriendlyName -like "Microsoft Exchange"} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
FriendlyName : Microsoft Exchange
Subject : CN=EX01-2019
CertificateDomains : {EX01-2019, EX01-2019.exoip.local}
Thumbprint : E55A7CE736B5798A1A694F1D0515227E35F97514
NotBefore : 5/1/2022 7:53:26 PM
NotAfter : 5/1/2027 7:53:26 PM
In the next step, we will renew the Microsoft Exchange certificate.
2. Create new Microsoft Exchange certificate
Create a new Microsoft Exchange certificate. Run the New-ExchangeCertificate cmdlet and paste the previously copied certificate thumbprint in the command.
Note: You can’t remove the Microsoft Exchange certificate in most cases. You will be able to remove the certificate when you create and publish a new Microsoft Exchange certificate.
[PS] C:\>Get-ExchangeCertificate -Thumbprint "E55A7CE736B5798A1A694F1D0515227E35F97514" | New-ExchangeCertificate -Force -PrivateKeyExportable $true
Thumbprint Services Subject
---------- -------- -------
BC883E222796EE43F524051519E35DAD12FD2F41 ....S.. CN=EX01-2019
3. Assign IIS services to certificate
Refresh the Exchange admin center page or click the refresh button in the toolbar. You will see the new certificate in the list. Click on the new certificate and edit the certificate.
Click on services. Check the checkbox IIS. Click Save.
Verify that the new Microsoft Exchange certificate assigned to services shows IIS, SMTP.
4. Remove old certificate
Select the old certificate in the list and click the delete icon in the toolbar.
You will have only one Microsoft Exchange certificate in the certificates list.
5. Check IIS site bindings
Verify that the new Microsoft Exchange self-signed certificate is bound correctly in the Exchange back end. Also, verify that the Default Web Site has the third-party certificate.
Important: Removing, renewing, or assigning services to the certificate can remove the certificate from Exchange Back End and Default Web Site. It’s essential that you check the certificate bindings and apply the correct certificates.
Exchange Back End
Start Internet Information Services (IIS) Manager. Click on Exchange Back End. Select Bindings. Edit the type https with port 444.
Select the Microsoft Exchange certificate. Click OK.
Default Web site
Click on Default Web Site. Select Bindings. Go through and edit all the types https with port 443.
Select the third-party certificate. Click OK.
7. Restart IIS (Internet Information Services)
Run the IISReset command to restart IIS.
[PS] C:\>iisreset
8. Verify Microsoft Exchange certificate validity
Run the Exchange Server Health Checker script to verify that the Microsoft Exchange certificate status is valid.
Read more: Renew certificate in Exchange Hybrid »
Conclusion
We showed how to renew the Microsoft Exchange certificate. First, go through the steps to renew the Microsoft Exchange certificate. After that, remove the old Microsoft Exchange certificate. Next, verify that the IIS site bindings on Exchange Back End and Default Website have the correct certificates. Finally, reset IIS. Do the steps on every Exchange Server if you have more than one running in the organization.
Did you enjoy this article? You may also like How to import certificate in Exchange Server. Don’t forget to follow us and share this article.
My MS Exchange 2016 CU21 certificate expired and successfully created a new one by following this article. Thank you, sir. However, only mobile devices still get SSL errors despite their mailboxes on Exchange Online. (Hybrid environment)
A very good discription of how to renew the Exchange Certificate!
Legend!