Blog

How to renew a self-signed certificate in Exchange Server 2007

Date November 29, 2013 Author By Category Microsoft Exchange

The Exchange 2007 self signs a certificate when the server role is first added for all the Exchange services that run in unison with IIS (smtp & owa etc). The  certificate expires after one  year from the date the server was first installed or the date the certificate was assigned manually.

First, check the status of the certificate by opening the Exchange Management Shell and executing the commandGet-ExchangeCertificate |FL’ – this displays all information about the currently assigned certificates and the status of each certificate.

It is common that they may be more than one certificate listed in the display – if that is the case, find the certificate that shows an expired date in the field ‘NotAfter‘ – as this defines when each certificate becomes invalid/expired. An expired certificate may cause problems such as connectivity to web services, SMTP transport and Outlook prompting certificate security warnings.

Use the following steps to generate a new certificate and enable it to run IIS services:

1. Type ‘Get-ExchangeCertificate |FL’ – This only lists details of certificates that are assigned to Exchange Services. Then note down the Thumbprint of the expired certificate.

2. Then type ‘Get-ExchangeCertificate –Thumbprint “ 9E6DD4B4EA2865CA9E6C34B42329A9AC994EBF63” | New-ExchangeCertificate’ . This generates a new certificate, and you will then be prompted to confirm if you want to overwrite the expired certificate and use the new one for the SMTP service.

3. If you run the cmdlet in step 1 you will notice the new certificate is not used to secure IIS services anymore. Make a note of the new thumbprint and run the following command typing the new thumbprint between the quotation marks: ‘Enable-ExchangeCertificate –Thumbprint “7A843B04EA2865CA9E6C34B42329AEE4456F9013” –Services IIS’

4. Be sure to verify all the services are working correctly after renewing and enabling the certificate – test Outlook clients by closing and opening Outlook to esnure there are no security certificate warnings.

5. Finally, Remove the old certificate by typing the following cmdlet into the management shell: Remove-ExchangeCertificate –Thumbprint “9E6DD4B4EA2865CA9E6C34B42329A9AC994EBF63″.

6. Then you have to load the new cert to all of your workstations so that they will trust it.  Using a Group Policy is best.

exchange 2007 cert group policy setting

Here are my simplified notes:

#GET THUMBPRINT OF CERT TO RENEW
Get-ExchangeCertificate |FL

#AND PUT IT HERE
Get-ExchangeCertificate -thumbprint “88F86C9A7A62BCAEF8C0892C927481BA0791EEFF”| New-ExchangeCertificate -PrivateKeyExportable $true

#GET THUMBPRINT OF NEW CERT YOU JUST CREATED
Get-ExchangeCertificate |FL

#AND ASSIGN SERVICES TO IT
Enable-ExchangeCertificate –Thumbprint “5150AD44A3C013A7815B01BD5377E21D7AF7ED96” –Services “POP,IMAP,IIS,SMTP”

#GET THUMBPRINT OF ANY EXPIRED OR INVALID CERTS
Get-ExchangeCertificate |FL

#AND REMOVE THEM
Remove-ExchangeCertificate –Thumbprint “88F86C9A7A62BCAEF8C0892C927481BA0791EEFF”

Tags: , ,

Leave a Reply

Your email address will not be published.