How to renew a self-signed certificate in Exchange Server 2007
The Exchange 2007 self signs a certificate when the server role is first added for all the Exchange services that run in unison with IIS (smtp & owa etc). The certificate expires after one year from the date the server was first installed or the date the certificate was assigned manually.
First, check the status of the certificate by opening the Exchange Management Shell and executing the command ‘Get-ExchangeCertificate |FL’ – this displays all information about the currently assigned certificates and the status of each certificate.
It is common that they may be more than one certificate listed in the display – if that is the case, find the certificate that shows an expired date in the field ‘NotAfter‘ – as this defines when each certificate becomes invalid/expired. An expired certificate may cause problems such as connectivity to web services, SMTP transport and Outlook prompting certificate security warnings.
Use the following steps to generate a new certificate and enable it to run IIS services:
1. Type ‘Get-ExchangeCertificate |FL’ – This only lists details of certificates that are assigned to Exchange Services. Then note down the Thumbprint of the expired certificate.
2. Then type ‘Get-ExchangeCertificate –Thumbprint “ 9E6DD4B4EA2865CA9E6C34B42329A9AC994EBF63” | New-ExchangeCertificate’ . This generates a new certificate, and you will then be prompted to confirm if you want to overwrite the expired certificate and use the new one for the SMTP service.
3. If you run the cmdlet in step 1 you will notice the new certificate is not used to secure IIS services anymore. Make a note of the new thumbprint and run the following command typing the new thumbprint between the quotation marks: ‘Enable-ExchangeCertificate –Thumbprint “7A843B04EA2865CA9E6C34B42329AEE4456F9013” –Services IIS’
4. Be sure to verify all the services are working correctly after renewing and enabling the certificate – test Outlook clients by closing and opening Outlook to esnure there are no security certificate warnings.
5. Finally, Remove the old certificate by typing the following cmdlet into the management shell: Remove-ExchangeCertificate –Thumbprint “9E6DD4B4EA2865CA9E6C34B42329A9AC994EBF63″.
6. Then you have to load the new cert to all of your workstations so that they will trust it. Using a Group Policy is best.
Here are my simplified notes:
#GET THUMBPRINT OF CERT TO RENEW
#AND PUT IT HERE
Get-ExchangeCertificate -thumbprint “88F86C9A7A62BCAEF8C0892C927481BA0791EEFF”| New-ExchangeCertificate -PrivateKeyExportable $true
#GET THUMBPRINT OF NEW CERT YOU JUST CREATED
#AND ASSIGN SERVICES TO IT
Enable-ExchangeCertificate –Thumbprint “5150AD44A3C013A7815B01BD5377E21D7AF7ED96” –Services “POP,IMAP,IIS,SMTP”
#GET THUMBPRINT OF ANY EXPIRED OR INVALID CERTS
#AND REMOVE THEM
Remove-ExchangeCertificate –Thumbprint “88F86C9A7A62BCAEF8C0892C927481BA0791EEFF”