renew exchange certificate

When you install Exchange Server, a self-signed certificate that’s created and signed by the Exchange server itself is automatically installed on the server. Often times we run into instances where you will be required to renew the Exchange Certificate.  Unlike renewing an external SSL Exchange email certificate issued by a third party such as GoDaddy, you can easily generate a new self-signed certificate with a few easy commands using the Exchange PowerShell.

How to Renew the Exchange Certificate

First, you will need to find the thumbprint of the certificate that is expiring or has already expired.  You can find this by running the following command in the Exchange PowerShell:

Get-ExchangeCertificate | fl

This will list all of the certificates that are installed on the server and will list the thumbprint.  Once you find this information, you can run the following command:

Get-ExchangeCertificate -thumbprint “Thumbprint” | New-ExchangeCertificate

Eg. Get-ExchangeCertificate -thumbprint “BFD0FA04DE0A65F17E6EC949407E633ABFFFBCCB” | New-ExchangeCertificate

After running this command, you will be asked to confirm that you want to overwrite the old certificate with the newly generated one.  Once you accept this you will see a new certificate has been created and you may need to re-assign any necessary services.  After you verify the new certificate is correct and has the necessary services assigned, if any, you will want to remove the old certificate so that the server no longer generates the corresponding expired event logs.  You can do this by running the following command using the thumbprint used previously:

Remove-ExchangeCertificate -thumbprint “BFD0FA04DE0A65F17E6EC949407E633ABFFFBCCB”

At this point some people like to bounce the Transport service but unsure if this is needed.

Now that the certificate has been updated this is typically all you will need to do and you are all ready to go. There is a possibility that the binding of the new certificate in IIS will need to be reinstated. You will definitely know about it because you will suddenly start receiving error messages.

When a new certificate is created or a certificate is renewed this should be an automatic process but in some instances the binding will be removed. In this scenario, several client protocols such as ECP, OWA, ActiveSync and Exchange Management Shell cannot connect. The following issues may occur:

  • OWA and ECP display a blank page.
  • ActiveSync users cannot receive emails.
  • Exchange Management Shell will cannot connect and displays the following Error:
    New-PSSession : [] Processing data from remote server failed with the following error message: The WinRM Shell client cannot process the request. The shell handle passed to the WSMan Shell function is not valid. The shell handle is valid only when WSManCreateShell function completes successfully. Change the request including a valid shell handle and try again. For more information, see the about_Remote_Troubleshooting Help topic.
    At line:1 char:1

    + New-PSSession -ConnectionURI “$connectionUri” -ConfigurationName Microsoft.Excha …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
        + FullyQualifiedErrorId : -2144108212,PSSessionOpenFailed
    Failed to connect to an Exchange server in the current site.
    Enter the server FQDN where you want to connect.:

During the setup process a self-signed certificate called Microsoft Exchange is bound to the Exchange Back End Website on port 444. This is for communication between the Default Web Site Front End where the third party CA issued certificate is installed on, and Exchange Back End web sites. When the certificate is removed or changed, the Default Web Site will no longer be able to proxy connections to the Exchange Back End web site.

To resolve this issue, add the certificate back to the Exchange Back End web site Or Create a new self-signed certificate, and then bind it to the Exchange Back End web site.

Note:  These steps should be taken on the Exchange Mailbox server role:

  1. Start IIS Manager on the Mailbox Server.
  2. Expand Site, highlight Exchange Back End, and select Bindings from the Actions pane in the right side column.
renew exchange certificate
  1. Select Type https on Port 444.
  2. Click Edit and select the Microsoft Exchange certificate.
  3. From an administrator command prompt, run IISReset.
renew exchange certificate

3 thought on “How to Renew the Exchange Self signed certificate”
  1. I renewed my Godaddy UCC less than a year ago with no issue. Then the WMSVC and MSExAuth a few months back with no issues. Last week I clicked the renew link on the “Microsoft Exchange” self signed cert causing outlook to give users ServerName cert errors and I couldn’t get into EAC. Is this the IIS issue you wrote about above? Thank you for taking the time to make this write up!

Leave a Reply

Your email address will not be published. Required fields are marked *