What are the steps for an Exchange certificate renewal?

An expired Exchange certificate can bring your messaging platform to a halt, but it’s easy enough to check and replace the expired certificate.

When mail stops flowing, Outlook access breaks and the Exchange Management Console/Shell gives errors, then it might be time to see if an Exchange certificate renewal is in order.

Exchange adds a certificate by default with your protocols during its installation, including Simple Mail Transfer Protocol and Internet Information Services (IIS). Many companies do not allow access to Outlook on the web, so mail is only accessible internally. This limits the Exchange Server capabilities as Microsoft designed it to be accessible from anywhere on any device.

For companies that choose to limit Exchange’s functionality, the IT staff often opts to use the default certificate, which has a five-year life span. In five years, IT might forget about the Exchange certificate renewal until they receive countdown emails warning that it will expire. If nobody sees these emails and the certificate expires, then problems will start, as Exchange services that require a valid certificate might not work.

To check a certificate’s status, run the following PowerShell command:

Get-ExchangeCertificate | fl

Assign a new certificate for Exchange 2010

If Exchange breaks due to an expired certificate, then you might want to push for a quick fix by issuing a certificate to an internal certificate authority. This won’t work because the certificate authority will not sign the certificate.

If you start to panic as help desk tickets start to flood in, this is when trouble typically happens. You might try to adjust the settings in IIS, but this can break Exchange. However, the fix is simple.

Run the New-ExchangeCertificate command to initiate the Exchange certificate renewal process. This PowerShell cmdlet will create a new self-signed certificate for Exchange 2010. The command prompts you to replace the existing certificate. Click Yes to proceed.

Exchange certificate replacement
Execute the PowerShell New-ExchangeCertificate cmdlet to build a new self-signed certificate for Exchange 2010.

Next, assign the services from the old certificate to the new one and perform an IISReset from an elevated command prompt to get Exchange services running again.

Finally, ensure the bindings in IIS are set to use the new certificate.