Renewing self-signed certificates in Exchange 2010 and Exchange 2007

by Bharat Suneja on January 28, 2008

Exchange 2010 and Exchange 2007 Setup creates a self-signed certificate for the server to protect communication with services like SMTP, IMAP, POP, IIS and UM. In Exchange 2007, the certificate is issued for a period of one year. In Exchange 2010, the certificate validity period is raised to five years.

The self-signed certificate meets an important need – securing communication paths for Exchange services by default. This is a great development – it ensures that data will not be transferred in the clear by default and all communication is encrypted.

Nevertheless, one should treat these certificates as temporary. Although self-signed certificates work perfectly well for internal SMTP communication between Hub Transport servers, and between Hub Transport and Edge Transport servers, it’s not recommended to use them for any client communication on an ongoing basis. For most deployments, you will end up purchasng a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).

Self-signed certificates are great for securing communication by default and handy for test environments. For client communication in production environments, it’s recommended to use certificates signed by a trusted CA.

Should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these will need to be renewed when they expire — just as you would renew certificates from 3rd-party or in-house CAs.

1 This command renews the certificate for server e12postcard.e12labs.com, a server with CAS and HT roles installed:

Get-ExchangeCertificate -domain “e12postcard.e12labs.com” | fl

Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.

Get a new certificate with a new expiration date:

Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate

If you want to be able to export a certificate with its private key for backup (or to install it on another server in some cases, although this is generally done only for CA-signed certificates), create the new certificate with an exportable private key by using the PrivateKeyExportable parameter. For example:
New-ExchangeCertificate -PrivateKeyExportable $true

If the existing certificate is being used as the default SMTP certificate, you will get the following prompt. The default SMTP certificate is used to encrypt SMTP sessions between transport servers in your organization.

Confirm
Overwrite existing default SMTP certificate,
‘C5DD5B60949267AD624618D8492C4C5281FDD10F’ (expires 8/22/2008 7:20:34 AM), with certificate ‘3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E’ (expires 1/28/2009 7:37:31 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”):

Type y to continue. A new certificate is generated.

Thumbprint   Services   Subject
———-   ——–   ——-
3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E   …..   CN=E12Postcard

The new certificate is generated and enabled. Examine the new certificate:

Get-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” | fl

1 The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – IIS is missing.

You can enable the certificate for IIS (in addition to any other services it may already be enabled for — it adds to existing values of the certificate’s Services property).

Note: Once you enable a certificate for a particular Exchange Server service, there’s no way to disable it (for that service). You must remove the certificate (if the certificate is CA-issued, export the certificate along with its private key before you do so), import it again and enable it for the services you need to. This is generally not a concern with self-signed certificates— you can generate additional self-signed certificates and optionally remove the old one, since there’s no CA interaction or costs involved.

Setting the Services parameter to None does not do anything in this case.

To enable the certificate for IIS:

Enable-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” -services IIS

1 Test services are working with the new certificate. If it works as expected, you can remove the old certificate using the EMC or the Remove-ExchangeCertificate cmdlet from the Shell:

Remove-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F”

Related posts:

{ 39 comments… read them below or add one }

Paul February 7, 2008 at 5:43 am

Hi,

Thanks for the great outline!

Is this the same on an edge server or do you have to resubscribe for that?

Do you know if you can renew a CA cert through IIS or do you have to use the new-exchangecertificate cmd?

Thanks again!!

Reply

Hyper March 6, 2008 at 6:25 pm

Thank you for the article. While playing with self-signed certificates I ran into the following problem. It happens for all new certificates. Any idea why it happens and how it can be resolved?..
- – – – – – – – – – – – – – – – – -

>>> New-ExchangeCertificate -GenerateRequest -domainname mydomaain.com -privatekeyexportable:$true -path c:\cert_myserver.txt

Thumbprint Services Subject
———- ——– ——-
433157A3B9C8C874591A5B35CF91719ADC61B427 ….. CN=mydomain.com

>>> Enable-ExchangeCertificate -Thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 -Services “IIS”

Enable-ExchangeCertificate : The certificate with thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 was not found.
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint 433157A3B9C8C874591A5B35CF91719ADC61B427 -Services “IIS”

Reply

Bharat Suneja March 7, 2008 at 11:36 am

Do you see the certificate when you use the Get-ExchangeCertificate command?

Reply

Hyper March 27, 2008 at 3:39 pm

Sorry Bharat, just got back from vacation.

Yes, strange thing is – I see it using the Get-ExchangeCertificate command, but it doesn’t let me enable it!

Any idea what might be wrong?..

Reply

12345 June 9, 2008 at 8:57 am

I have a question concerning renewing the certificate from an outside authority. Let’s say this certificate was from Entrust and you wanted to renew it. Would the correct command be Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate -GenerateRequest -privatekeyexportable $true -Path c:\certificates\cerreq.req to renew?

Reply

12345 June 24, 2008 at 8:04 am

Hello…I was just wondering if my last comment was correct as I have to renew my certificate soon. Thanks for the help!

Reply

Peter February 10, 2009 at 10:30 am

Hello,

I followed the above instructions and I’m not sure this worked correctly. After running Enable-ExchangeCertificate -thumbprint “…” -Services IIS

If I run Get-ExchangeCertificate, it shows my new certificate as being enabled ONLY for IIS… I’ve tried running Enable-ExchangeCertificate -services SMTP (POP, IMAP) with no luck. Email still works, but I’m not sure how to check if Exchange is still using my old certificate.

Please let me know how to check if I am using the new certificate, as well as how to revert so I can try your instructions again.

Thanks!

Reply

Anonymous February 16, 2009 at 4:41 am

Hi,
Thank you, this is a superb article. I have a problem, our exchange server does not have a domain name and it works on an IP address. E.f. we access ms outlook using http://123.456.789.123/owa and the outlook anywhere uses this IP. Can you pls advice me on how to create the certiciate for the local domain i.e. exchane.domain.local and IP address.

Thanks & Regards,
Sudhish

Reply

John March 18, 2009 at 5:19 pm

Hi –
I have imported a our new certificate and would like to enable it for "SMTP, IMAP, IIS, POP"

When I go to enable I get a big WARNING that I will not be able to use my TLS connectors??

[PS] C:\Documents and Settings\oscar.meyer>
Enable-ExchangeCertificate -ThumbPrint [XXXXX-THUMBPRINT-XXXXXX] -Services "SMTP, IMAP, POP, IIS"

WARNING: This certificate will not be used for external TLS connections with an
FQDN of 'mail1.mymail.com.COM' because the self-signed certificate with
thumbprint 'AAA-THUMBPRINT-AAAAAAA' takes precedence. The
following connectors match that FQDN: Default MAIL1, Client
MAIL1.
Confirm
Overwrite existing default SMTP certificate,
'AAA-THUMBPRINT-AAAAAAA' (expires 1/01/2XXX 2:23:15 PM),
with certificate 'XXXXX-THUMBPRINT-XXXXXX' (expires 2/XX/2XXX
12:34:13 PM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):

I did not complete the command – the whole purpose of the CERT is for our TLS connectors to external clients – Do I just have to re-create my connectors once I have enabled the CERT?

Please advise.

Thanks.

-Johnny

Reply

Anonymous May 4, 2009 at 1:49 am

Great Article Thank you so much

Luke

Reply

Anonymous May 6, 2009 at 7:10 am

Thank you. Worked a treat. Had been sratching my head over this one!

http://paulhale.com
http://twitter.com/paulhale

Reply

Anonymous July 7, 2009 at 9:45 pm

I have followed step-1 and 2 and renew the certificate. But forgot step-3 to remove expireed certificate. Now, the issue is remains the same. Our outlook clients are still recieving same securiy certificate message.Is it because I did not delete expired certificate.

Thanks.

Reply

Anonymous August 23, 2009 at 11:59 pm

Thanks a lot guys. Tried the solution posted above and it worked fine for our Exchange 2007 server.

Reply

Anonymous September 21, 2009 at 10:56 pm

Thanks heaps this worked and now I don't get those event logs anymore relating to invalid Certificates

Reply

Anonymous November 17, 2009 at 5:34 am

Hi Bharat,

Maybe you could help me i have my certificate configured as you discribed hier. my user a having this error offlineaddressbookdata can not be found the URL can not befound 0X8004010f.

Using out of office assistant they get the error server is not available

thanks

Reply

Anonymous December 6, 2009 at 9:29 pm

Bharat,

Thanks for the post. I renewed my cert a month ago, forgot to add IIS. Rebooted this weekend and no webmail. Your post got me back up fast.

Thank you,

Mark

Reply

Anonymous December 9, 2009 at 3:16 am

You saved my life – champion.

Reply

Anonymous December 27, 2009 at 11:15 am

Excuse me for being such a novice, but what program are you using to do this? Tiny Get? It appears that a couple of peices of this are missing, will anybody please let me know how to accomplish this?

Thank you

Reply

Anonymous January 4, 2010 at 12:31 pm

These commands are all run from the Exchange Management Shell, aka, Powertoys with the Exchange Extensions….

Reply

noman January 20, 2010 at 3:13 am

Can any one guide me how to reinstall default exchange ceritificate after installing third pary certification expiry, because i don't want to pruchse more

Reply

noman January 20, 2010 at 3:15 am

Hi,
can anyone guide me how to install default exchange certificate after expiry of third party certificate because i don't want to purchase more.

thanks,

Reply

Anonymous February 11, 2010 at 12:38 am

John..

Is your problem solved because me too facing same problem. please let me what you did to solve…

Reply

Anonymous March 9, 2010 at 4:26 pm

Thanks for this article. Worked a treat!

Reply

Sanjay July 28, 2010 at 10:17 pm

Worked Perfectly… !! Thnx Mate!

Reply

Tony Tomadakis November 4, 2010 at 3:24 pm

Thanks for a great write up

for anybody that needs instructions:
click on Start and type Exchange Management Shell in the Search field above Start then click on it…

Reply

Skee December 13, 2010 at 7:10 am

Followed the instructions, was very easy thanks. However now my users are getting the “The security certificate was issued by a company you have not chosen to trust…” Is there a way to remotely add that certificate to users’s trusted area?

Thanks!

Reply

Tar February 14, 2011 at 9:53 pm

Thanks a lot.
Now I know why I cannot use -services none to disable the certificate.

Reply

Harish February 16, 2011 at 2:59 am

Thanks Mate .You have very good knowledge .
keep it up .

Reply

GB February 23, 2011 at 2:20 pm

Dear Bharat,

I performed the steps you described. With MMC I exported the certificate, and I imported the certificate on my ISA server Local computer, personal and trusted.
I changed the OWA rule in the ISA server fo the listener to the correct valid certificate.

Now my users still get the message “Error Code: 500 Internal Server Error. The received certificate has expired. (-2146893016) ”
When I watch the certificate at the ISA server it’s valid.

But I did’nt perform the deletion of the invalid certificates as you described under step number 3.
Could this be the problem for my users?

Reply

Bharat Suneja February 24, 2011 at 3:54 pm

Are services assigned to the new certificate? If so, the old certificate shouldn’t be used, even if installed.

Regardless, you can remove old/expired certificates.

Reply

Ab May 22, 2011 at 5:43 pm

This seemed to screw up SBS 2008 – I dont think you are meant to use this procedure for SBS. If you do OWA will fail and you have to reset various things which were a real pain to find and then you get a Outlook certificate name error which is just as big a pain to fix.

For SBS the advice is to use the ‘Fix my network’ wizard I think.

Reply

Peter May 31, 2011 at 5:30 pm

Worked like a charm, thanks!

Reply

sap July 4, 2011 at 4:26 am

Can someone please tell me the roll back plan if this all goes wrong?

thanks

Reply

Computer Support Guy July 11, 2011 at 7:56 am

Thanks for the post. I still haven’t figured out how to extend the self-signed cert for more than one year, so you don’t have to repeat the process every year.
Can someone shed some light on how to accomplish that? TIA

Reply

Bharat Suneja July 11, 2011 at 10:10 am

For Certification Authority-signed certificates, you can specify when requesting from the CA. For self-issued certificates, the one year certificate validity period is hard-coded in Exchange 2007. In Exchange 2010, self-signed certificates are valid for 5 years.

Reply

Abbas Ali April 12, 2012 at 3:31 am

Very good article, saved lots of time. Thanks

Reply

CM September 19, 2012 at 4:49 am

worked fine for me (SBS 2008)
thanks

Reply

Thewill March 2, 2013 at 9:18 am

THANK YOU!

This really saved my skin…

Reply

IP December 15, 2014 at 2:14 am

Brilliant! Nice and simple. Exactly what we were looking for. Although the cmdlet verbage has changed in 2010 (SBS2011), I still managed to get it completed. Many thanks.

Reply

Leave a Comment

{ 9 trackbacks }

Previous post:

Next post: