Renew Exchange 2010 Certificate

If your organization is running Microsoft Exchange 2007/2010, you may not be aware that the Self-Signed Exchange Certificate that is installed by default during installation has a validation period of 5 years. If you start getting the Outlook security prompt pictured below, than chances are your certificate has expired.
Fortunately Microsoft has made the process of updating or renewing the certificate very easy using some basic Powershell commands in the Exchange Management Shell.

Copy the thumbprint from the existing self-signed certificate: This command retrieves the existing certificate and exports the data to a text file:

Generate a new self-signed certificate: This command pipes the existing certificate object to the New-ExchangeCertificate cmdlet, which uses its properties to generate a new self-signed certificate as well as making the private key exportable. An exportable private key will be required if you need to publish the certificate in GPO:

Note: If the existing certificate is being used as the default SMTP certificate, you will get an overwrite prompt to confirm that the new certificate will be used for SMTP transactions.

Enable the new certificate for IIS: The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – IIS is missing. You can enable the certificate for IIS using the command below:

Remove the old certificate: Make sure all services are working with the new certificate as required. If it works as expected, you can remove the old certificate using the EMC or the Remove-ExchangeCertificate cmdlet from the Shell:

Did you find this article useful? Why not share it with your friends?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.