Home > Exchange, Microsoft > How to renew an Exchange 2007 Self Signed Certificate.

How to renew an Exchange 2007 Self Signed Certificate.

February 15th, 2011 Leave a comment Go to comments

By default Exchange 2007 creates a self signed certificate that is valid for 1 year when it is installed. This certificate is used with exchange services like SMTP, POP3, IMAP, IIS and UM.

Please note that the self signed certificate is not the recommended way to communicate with the server from external sources.

Due to the fact that the certificates expire after 1 year, you will find yourself in a position to have to renew it after 1 year from the date of installation.

The renewal of the self signed certificate is very simple and can be done with just a few steps and would need to be done on the server with the Client Access Service and Hub Transport roll installed. We will be using the Exchange Management Shell.

1. The first step is to get the thumbprint for the certificate that is enabled for the POP, SMTP, IMAP and IIS services. The thumb print looks something like this C5DD5B60949267AD624618D8492C4C5281FDD10F. To get the thumbprint, you need to run the following command.

Get-ExchangeCertificate -domain “servername.domain.extension” | fl

2. Once you have the thumbprint, you can then run a command to get a new certificate with a new expiration date. This command will not make the certificate private key exportable.

Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate

If you need to make a certificate with an exportable private key, then run the command as follows.

Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate -PrivateKeyExportable $true

If the existing certificate is being used as the default SMTP certificate, you will get prompted to overwrite the existing default SMTP certificates. Here you can type “Y” and then press ENTER. This will now generate a new certificate and enable it. “The default SMTP certificate is used to encrypt SMTP sessions between transport servers in your organization.”

To the output will give you the new certificate thumbprint which we will use in steps 3 and 4.

3. To check that the default services (POP, SMTP and IMAP) are mapped to the new certificate, you can use the following command replacing NEW KEY with the key that is given for the new certificate.

Get-ExchangeCertificate -thumbprint “New KEY” | fl

4. We now also need to map the IIS service to the new thumbprint.

Enable-ExchangeCertificate -thumbprint “NEW KEY” -services IIS

5. You can now test your services to ensure that they are working, and the best way to do this is to access OWA from inside the network and also test Outlook over HTTPS.

Once you are happy you can remove the old certificate using the following command replacing OLD KEY with the key obtained from step 1.

Remove-ExchangeCertificate -thumbprint “OLD KEY”

And that is it. You now have a new self signed certificate that is valid.

  1. BobMan
    August 5th, 2011 at 04:45 | #1

    My coworker dude says in response to “Once you are happy you can remove the..”

    that he’s not happy (in a joking, pissed off voice -he’s spent about 2 hours trying to get these six simple steps working 😉

    Thanks for this. Was useful.

  1. No trackbacks yet.