How to renew a self signed certificate in Exchange Server 2007

When a new Exchange Server 2007 role is installed on a computer the server automatically generates a self signed certificate to be used with services like transport (SMTP), POP,  IIS (OWA and Exchange Web Services) and IMAP. This certificate expires right after the completion of one  year from the date server was installed or the certificate was reassigned manually. To check the status of the certificate using Exchange Management Shell. Executing the cmdlet Get-ExchangeCertificate |FL displays all relevant information about all the certificates assigned, enabled and being used or not used by Exchange Services.

image_thumb2

You may see more than one certificate listed on your exchange server(s) and that may be simply because you or someone else from your team have already tried working with certificates on the server.

If you see the above picture, you will notice that the certificate I have on my server is valid till 24th March 2010. NotAfter holds the value in mm/dd/yyyy h:mm:ss format. NotAfter – means this certificate will not be valid after the time stamp listed in this field. On the other hand the value NotBefore – means that this certificate will not be valid before the time stamp mentioned.

So once you cross the date listed in field NotAfter the certificate becomes invalid and indeed may open up doors to many other troubles like connectivity to web services, SMTP transport, POP and IMAP retrieval, etc. To renew the certificate you can simply run a cmdlet and get a new self signed certificate. But, this is just not as simple as simply running a cmdlet and get a new certificate, there is a procedure to do it. Check the following steps:

1. Run Get-ExchangeCertificate |FL – This will list details of all certificates that you have assigned to Exchange Services. Please understand, this cmdlet does not retrieve any information about any other certificate from local certificate store which is not used by Exchange. Once you get the output printed on the screen; note down the Thumbprint of certificate into a notepad.

2. Run Get-ExchangeCertificate –Thumbprint “58C846DEEA2865CA9E6DD4B42329A9AC994EBF63” | New-ExchangeCertificate . This renews the certificate. You will notice the moment you press enter on keyboard you may be prompted to confirm if you want to use the same certificate for SMTP service.

image_thumb24

3. Check if the certificate is renewed. This can be simply examined by looking at the changes in thumbprint of the certificate after running the cmdlet mentioned in step 2. You can see the changed thumbprint in below picture.

image_thumb25

4. Looking correctly to the above picture you will also notice that the certificate is not being used to secure IIS based services anymore though the NotAfter and NotBefore dates have changed. To enable this renewed certificate for IIS as well run Enable-ExchangeCertificate – Thumbprint “E0BB201793DC74D0F94F3275E6AA53BA75907565” –Services IIS

5. Verify all the services are working correctly after renewing and enabling the certificate.

6. Remove old certificate by running Remove-ExchangeCertificate –Thumbprint “58C846DEEA2865CA9E6DD4B42329A9AC994EBF63”

12 thoughts on “How to renew a self signed certificate in Exchange Server 2007”

    1. Thank you for your valuable comment Ash. If you look at the last screen shot the services are already there and the last paragraph also explained that IIS is missing because we have overwritten the existing certificate and needed to be assinged manually.

  1. Thanks for your interesting post but something i was not clear in my case. i have 3 CAS, 3 Hub Transports and 1 Edge Transport. all of them was installed on separate server and used self-sign certificate. can u tell me what important things I have to consider when renew those certificate? can u guide me step by step to renew certificate for Hub, Edge, CAS?
    Thank you so much

    1. Hello,
      This procedure is for renewing the certificates on any server role. As far as renewing the self certificates are concernred you can follow this blog post, that pretty much of it.

  2. thanks,
    i agree all steps for renew cert on Hub, Cas but if you renew self-signed certificate on Edge Transport you have to do some additional steps:
    – after renew self-sign certificate on edge you have to re-subscribe edge sync in following:
    + new-EdgeSubscription -file “C:subscription.xml
    + copy this file to Hubtransport
    + Orgnization Configuration>Hub Transport> Creat New Edge Subscription –> browser to this file
    + Test-edgeSynchronization
    – every things is ok if result’s of test command was success

  3. pretty good step by step guide.

    Now I am struck in one problem. If I search in exchange server 2007 for updated certificate file. i could only see the old certificate file. How do I get ? Do I need to generate the file

  4. question.

    how i could make a cert with exportable private key?

    Get-ExchangeCertificate –Thumbprint “58C846DEEA2865CA9E6DD4B42329A9AC994EBF63” | New-ExchangeCertificate -privatekeyexportable $True

    would this work??

    regards

    1. @Mottl, please refer the article http://technet.microsoft.com/en-us/library/aa996305.aspx on how to export the certificate. Exchange self-signed certificate is already marked with private key exportable, so by extension you dont need to use the -privatekeyexportable during the certificate renewal. Also, when you renew the cretificate using above steps, all properties and extended properties are renewed based on the information from previous certificate. I hope that helps.

Comments are closed.