Renew an Exchange Server certificate (2024)

Table of Contents
In this article What do you need to know before you begin? Renew a certificate that was issued by a certification authority Use the EAC to create a certificate renewal request for a certification authority Use the Exchange Management Shell to create a certificate renewal request for a certification authority How do you know that you successfully created a certificate renewal request? Renew an Exchange self-signed certificate Use the EAC to renew an Exchange self-signed certificate Use the Exchange Management Shell to renew an Exchange self-signed certificate How do you know that you've successfully renewed an Exchange self-signed certificate? Additional resources FAQs
  • Article

Every certificate has a built-in expiration date. In Exchange Server, the default self-signed certificate that's installed on the Exchange server expires 5 years after Exchange was installed on the server. You can use the Exchange admin center (EAC) or the Exchange Management Shell to renew Exchange certificates. This includes Exchange self-signed certificates, and certificates that were issued by a certification authority (CA).

Note

The certificate management tasks are removed from EAC for Exchange Server 2016 CU23 and Exchange Server 2019 CU12. Use Exchange Management Shell procedure to export/import the certificate from these versions.

What do you need to know before you begin?

  • Estimated time to complete: 5 minutes

  • To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.

  • For certificates that were issued by a CA, verify the certificate request requirements of the CA. Exchange generates a PKCS #10 request (.req) file that uses Base64 encoding (default) or Distinguished Encoding Rules (DER), with an RSA public key that's 1024, 2048 (default), or 4096 bits. Note that encoding and public key options are only available in the Exchange Management Shell.

  • To renew a certificate that was issued by a CA, you need to renew the certificate with the same CA that issued the certificate. If you're changing CAs, or if there's a problem with the original certificate when you try to renew it, you need to create a new certificate request (also known as a certificate signing request or CSR) for a new certificate. For more information, see Create an Exchange Server certificate request for a certification authority.

  • If you renew or replace a certificate that was issued by a CA on a subscribed Edge Transport server, you need to remove the old certificate, and then delete and recreate the Edge Subscription. For more information, see Edge Subscription process.

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Client Access services security" entry in the Clients and mobile devices permissions topic.

    See Also
    Configure listener-specific SSL policies on Azure Application Gateway through portalCertificate Renewal - Windows Client ManagementSSL Offloading 101: Definition, Processes & Objectives | OktaWhat Happens When Your Digital Certificates Expire?

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

Renew a certificate that was issued by a certification authority

The procedures are the same for certificates that were issued by an internal CA (for example, Active Directory Certificate Services), or a commercial CA.

To renew a certificate that was issued by a CA, you create a certificate renewal request, and then you send the request to the CA. The CA then sends you the actual certificate file that you need to install on the Exchange server. The procedure is nearly identical to that of completing a new certificate request by installing the certificate on the server. For instructions, see Complete a pending Exchange Server certificate request.

Use the EAC to create a certificate renewal request for a certification authority

  1. Open the EAC and navigate to Servers > Certificates.

  2. In the Select server list, select the Exchange server that holds the certificate that you want to renew.

  3. All valid certificates have a Renew link in the details pane that's visible when you select the certificate from the list. Select the certificate that you want to renew, and then click Renew in the details pane.

  4. On the Renew Exchange certificate page that opens, in the Save the certificate request to the following file field, enter the UNC path and filename for the new certificate renewal request file. For example, \\FileServer01\Data\ContosoCertRenewal.req. When you're finished, click OK.

The certificate request appears in the list of Exchange certificates with a status value of Pending.

Use the Exchange Management Shell to create a certificate renewal request for a certification authority

To create a new certificate renewal request for a certification authority, use the following syntax:

See Also
GoDaddy - Renewing my SSL Certificate

  • If you need to send the content of the certificate renewal request file to the CA, use the following syntax to create a Base64 encoded request file:

    $txtrequest = Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate -GenerateRequest [-KeySize <1024 | 2048 | 4096>] [-Server <ServerIdentity>][System.IO.File]::WriteAllBytes('<FilePathOrUNCPath>\<FileName>.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

  • If you need to send the certificate renewal request file to the CA, use the following syntax to create a DER encoded request file:

    $binrequest = Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate -GenerateRequest -BinaryEncoded [-KeySize <1024 | 2048 | 4096>] [-Server <ServerIdentity>][System.IO.File]::WriteAllBytes('<FilePathOrUNCPath>\<FileName>.pfx', $binrequest.FileData)

To find the thumbprint value of the certificate that you want to renew, run the following command:

Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

For detailed syntax and parameter information, see Get-ExchangeCertificate and New-ExchangeCertificate.

Notes:

  • If you don't use the KeySize parameter, the certificate request has a 2048 bit RSA public key.
  • If you don't use the Server parameter, the command is run the local Exchange server.

This example creates a Base64 encoded certificate renewal request for the existing certificate with the Thumbprint value 5DB9879E38E36BCB60B761E29794392B23D1C054:

$txtrequest = Get-ExchangeCertificate -Thumbprint 5DB9879E38E36BCB60B761E29794392B23D1C054 | New-ExchangeCertificate -GenerateRequest[System.IO.File]::WriteAllBytes('\\FileServer01\Data\ContosoCertRenewal.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

This example creates a DER (binary) encoded certificate renewal request for the same certificate:

$binrequest = Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate -GenerateRequest -BinaryEncoded[System.IO.File]::WriteAllBytes('\\FileServer01\Data\ContosoCertRenewal.pfx', $binrequest.FileData)

How do you know that you successfully created a certificate renewal request?

To verify that you have successfully created a certificate renewal request for a certification authority, perform either of the following steps:

  • In the EAC at Servers > Certificates, verify the server where you stored the certificate request is selected. The request should be in the list of certificates with the Status value Pending request.

  • In the Exchange Management Shell on the server where you stored the certificate request, run the following command:

    Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint

Renew an Exchange self-signed certificate

When you renew an Exchange self-signed certificate, you're basically making a new certificate.

Use the EAC to renew an Exchange self-signed certificate

  1. Open the EAC and navigate to Servers > Certificates.

  2. In the Select server list, select the Exchange server that holds the certificate that you want to renew.

  3. All valid certificates have a Renew link in the details pane that's visible when you select the certificate from the list. Select the certificate that you want to renew, and then click Renew in the details pane.

  4. On the Renew Exchange certificate page that opens, verify the read-only list of Exchange services that the existing certificate is assigned to, and then click OK.

Use the Exchange Management Shell to renew an Exchange self-signed certificate

To renew a self-signed certificate, use the following syntax:

Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate [-Force] [-PrivateKeyExportable <$true | $false>]

To find the thumbprint value of the certificate that you want to renew, run the following command:

Get-ExchangeCertificate | where {$_.IsSelfSigned -eq $true} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

This example renews a self-signed certificate on the local Exchange server, and uses the following settings:

  • The thumbprint value of the existing self-signed certificate to renew is BC37CBE2E59566BFF7D01FEAC9B6517841475F2D
  • The Force switch replaces the original self-signed certificate without a confirmation prompt.
  • The private key is exportable. This allows you to export the certificate and import it on other servers.
Get-ExchangeCertificate -Thumbprint BC37CBE2E59566BFF7D01FEAC9B6517841475F2D | New-ExchangeCertificate -Force -PrivateKeyExportable $true

How do you know that you've successfully renewed an Exchange self-signed certificate?

To verify that you have successfully renewed an Exchange self-signed certificate, use either of the following procedures:

  • In the EAC at Servers > Certificates, verify the server where you installed the certificate is selected. In the list of certificates, verify that the certificate has Status property value Valid.

  • In the Exchange Management Shell on the server where you renewed the self-signed certificate, run the following command to verify the property values:

Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $true} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

Important

Removing, renewing, or assigning services to the certificate can remove the certificate from Exchange Back End and Default Web Site. It's essential that you check the certificate bindings and apply the correct certificates.

Additional resources

Unable to open OWA, ECP, or EMS after a self-signed certificate is removed from the Exchange Back End website

Renew an Exchange Server certificate (2024)

FAQs

How do I renew an exchange certificate? ›

Open the EAC and navigate to Servers > Certificates. In the Select server list, select the Exchange server that holds the certificate that you want to renew. All valid certificates have a Renew link in the details pane that's visible when you select the certificate from the list.

Read On
How do I renew my expired server certificate? ›

Key Steps to Renew Your SSL Certificate
  1. Generate a new Certificate Signing Request (CSR) from your hosting provider.
  2. Activate your SSL certificate from your hosting dashboard.
  3. Validate your SSL certificate using the generated CSR.
  4. Install your new SSL certificate either manually or via contacting your hosting provider.
Mar 13, 2024

Discover More Details
How do I renew a server certificate with the same key? ›

You can follow these steps:
  1. Open the Certificate Authority console on the server where the certificate was issued.
  2. Locate the expired certificate in the Issued Certificates folder.
  3. Right-click on the certificate and select Renew Certificate with Same Key.
  4. Follow the prompts to renew the certificate.
Apr 18, 2024

Continue Reading
How do I replace an expired certificate in Exchange 2016? ›

Renew a Certificate in Exchange 2016 & 2019
  1. Create a new certificate signing request.
  2. Upload the certificate signing request to your certificate provider.
  3. Download the processed certificate from your certificate provider.
  4. Install the certificate on Exchange.
  5. Assign Exchange services to the new certificate on each server.
Jul 8, 2023

See Details
How do I renew my Exchange 2013 server Auth certificate? ›

Sign in to your CertCentral account. In CertCentral, in the left main menu, click Certificates > Expiring Certificates. On the Expiring Certificates page, next to the certificate you want to renew, click Renew Now. A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.

Find Out More
Where are certificates stored on an exchange server? ›

To make this certificate available to all Exchange servers in an organization, it is stored in the configuration partition of Active Directory (Figure 2). Figure 2: The Exchange Auth certificate is stored in Active Directory.

Tell Me More
What happens when server certificate expires? ›

Once your certificate expires, site visitors will encounter the "Your connection is not private" message. All further communication will be displayed in plaintext and therefore, will no longer be encrypted.

Show Me More
How long does it take to renew a server certificate? ›

Renewing Organization Validation (OV) SSL Certificate takes 4-5 Days. Meanwhile, renewing an Extended Validation (EV) SSL Certificate takes 1-2 weeks.

Explore More
What if my certificate expires? ›

Expired digital certificates can cause a network outage or downtime incurring adverse effects on an organization's network and functionality. Digital certificates like TLS/SSL certificates play a crucial role in the smooth functioning of your website.

Continue Reading
How do I add a certificate to my Exchange server? ›

To install SSL certificate via Exchange Admin Center (EAC): Open the EAC and navigate to Servers > Certificates. Select the Exchange server where you want to install the certificate from the server list. Click More Options and select Import Exchange certificate.

Show Me More

How do I renew my server certificate in Windows server 2016? ›

Renew SSL Certificate IIS 10 Windows Server 2016
  1. Open the Internet Information Services (IIS) Manager. ...
  2. In the IIS Manager, select the main server node on the top left under Connections and double-click the Server Certificates.
  3. From the Actions pane on the top right, select Create Certificate Request.

Read The Full Story
How do you reset server certificate? ›

In the SERVER CERTIFICATES section, in the Update Certificate section, click Reset Server Certificates. A confirmation window appears. Click Reset. A success message appears to confirm the reset succeeded.

See Details
What is the difference between renew and replace certificate? ›

When your current certificate is about to expire, a Renewal is required. A Revoke & Replace (Reissue) is when you cancel a current, valid certificate and request a new one.

Get More Info Here
How to renew a server authentication certificate? ›

  1. Check the current certificate's expiration date.
  2. Generate a Certificate Signing Request (CSR).
  3. Submit the CSR to the Certificate Authority (CA).
  4. Receive the renewed certificate from the CA.
  5. Install the renewed certificate on your Windows server.
  6. Bind the certificate to the appropriate services.
Aug 15, 2022

Continue Reading
How to check exchange certificate? ›

Use the Get-ExchangeCertificate cmdlet to view Exchange certificates that are installed on Exchange servers. This cmdlet returns Exchange self-signed certificates, certificates that were issued by a certification authority and pending certificate requests (also known as certificate signing requests or CSRs).

View More
How do I renew a self-signed certificate in Exchange 2010? ›

Open Start then go to Programs > Microsoft Exchange 2010 > Exchange Management Console. Click Manage Databases. On the Right side, click 'Renew Exchange Certificate…'

View Details
How do I renew my Exchange Delegation Federation certificate? ›

Here's a step-by-step guide:
  1. Step 1: Generate a Certificate Signing Request (CSR) Open the Exchange Management Shell. ...
  2. Step 2: Obtain the Renewed Certificate. ...
  3. Step 3: Install the Renewed Certificate. ...
  4. Step 4: Refresh Federation Metadata. ...
  5. Step 5: Test the Renewed Certificate.
Aug 10, 2023

See More
How do I renew my digital certificate? ›

You need to check your certificate type and which digital signature you have class 2 or class 3. Open your USB token tool and find out the certificate type. If you have a class 3 digital signature then the renewal cost is 2400/- for 2 Years including GST 18%.

Learn More
Top Articles
Adding Salt to Hashing: A Better Way to Store Passwords
How To Build a Mining Rig: A Step-by-Step Guide
Toa Guide Osrs
How To Fix Epson Printer Error Code 0x9e
Somboun Asian Market
Palm Coast Permits Online
Craigslist Mpls Mn Apartments
Air Canada bullish about its prospects as recovery gains steam
<i>1883</i>'s Isabel May Opens Up About the <i>Yellowstone</i> Prequel
Https Www E Access Att Com Myworklife
Cape Cod | P Town beach
Es.cvs.com/Otchs/Devoted
Things To Do In Atlanta Tomorrow Night
Sarpian Cat
David Turner Evangelist Net Worth
Cooktopcove Com
Tracking Your Shipments with Maher Terminal
Craigslist Edmond Oklahoma
Hollywood Bowl Section H
91 East Freeway Accident Today 2022
Everything you need to know about Costco Travel (and why I love it) - The Points Guy
Craigslist Prescott Az Free Stuff
Amazing deals for Abercrombie & Fitch Co. on Goodshop!
Drift Boss 911
Qhc Learning
Myhr North Memorial
Www.craigslist.com Savannah Ga
Dragonvale Valor Dragon
25 Best Things to Do in Palermo, Sicily (Italy)
Sherburne Refuge Bulldogs
Papa Johns Mear Me
Dr Seuss Star Bellied Sneetches Pdf
Leben in Japan &#8211; das muss man wissen - Lernen Sie Sprachen online bei italki
Jail Roster Independence Ks
Purdue Timeforge
Cbs Trade Value Chart Week 10
LEGO Star Wars: Rebuild the Galaxy Review - Latest Animated Special Brings Loads of Fun With An Emotional Twist
Texters Wish You Were Here
Chris Provost Daughter Addie
Craigs List Jonesboro Ar
Planet Fitness Lebanon Nh
Daily Times-Advocate from Escondido, California
Miracle Shoes Ff6
Blackstone Launchpad Ucf
Vons Credit Union Routing Number
Windshield Repair & Auto Glass Replacement in Texas| Safelite
Natasha Tosini Bikini
Expendables 4 Showtimes Near Malco Tupelo Commons Cinema Grill
Big Reactors Best Coolant
Costco The Dalles Or
Zom 100 Mbti
Renfield Showtimes Near Regal The Loop & Rpx
Latest Posts
Can Bitcoin Reach $1 Million? | The Motley Fool
Tesla Billionaire Elon Musk Reveals How Much Bitcoin He Owns
Article information

Author: Roderick King

Last Updated:

Views: 6077

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Roderick King

Birthday: 1997-10-09

Address: 3782 Madge Knoll, East Dudley, MA 63913

Phone: +2521695290067

Job: Customer Sales Coordinator

Hobby: Gunsmithing, Embroidery, Parkour, Kitesurfing, Rock climbing, Sand art, Beekeeping

Introduction: My name is Roderick King, I am a cute, splendid, excited, perfect, gentle, funny, vivacious person who loves writing and wants to share my knowledge and understanding with you.