If your organization is running Microsoft Exchange 2007/2010, you may not be aware that the Self-Signed Exchange Certificate that is installed by default during installation has a validation period of 5 years. If you start getting the Outlook security prompt pictured below, than chances are your certificate has expired.
Fortunately Microsoft has made the process of updating or renewing the certificate very easy using some basic Powershell commands in the Exchange Management Shell.
Copy the thumbprint from the existing self-signed certificate: This command retrieves the existing certificate and exports the data to a text file:
Get-ExchangeCertificate | C:\ExchangeCertThumbPrint.txt
Generate a new self-signed certificate: This command pipes the existing certificate object to the New-ExchangeCertificate cmdlet, which uses its properties to generate a new self-signed certificate as well as making the private key exportable. An exportable private key will be required if you need to publish the certificate in GPO:
Get-ExchangeCertificate -thumbprint "2063C67135BD54BAF3EE0C640060CB341F615835" | New-ExchangeCertificate -PrivateKeyExportable $true
Enable the new certificate for IIS: The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – IIS is missing. You can enable the certificate for IIS using the command below:
Enable-ExchangeCertificate -thumbprint "2063C67135BD54BAF3EE0C640060CB341F615835" -services IIS
Remove the old certificate: Make sure all services are working with the new certificate as required. If it works as expected, you can remove the old certificate using the EMC or the Remove-ExchangeCertificate cmdlet from the Shell:
Remove-ExchangeCertificate -thumbprint "FTY45H60949267AD624618D8492C4C5281FIIDON"