How to renew an Exchange Server certificate - aaqibwani/M365 GitHub Wiki

Renewing an Exchange certificate involves a few steps:

  • Identify the Certificate using EAC or EMS
  • Create CSR using PowerShell
  • Submit to Certificate Authority (CA)
  • Download the New Certificate
  • Import the new certificate into Exchange
  • Bind the certificate to Exchange services (IIS, SMTP, etc.)
  • Export the certificate to be used on another Exchange Server(s)
  • Re-Run HCW (for Hybrid) or manually update the Send/Receive connectors
  • Remove the Old Certificate

Identifying the certificate:

  • In EMS, run:
Get-ExchangeCertificate | Where-Object {$_.IsSelfSigned -eq $false} | Format-List FriendlyName, CertificateDomains, Thumbprint, NotAfter

image

image

Generating the CSR:

  • If you need to renew the certificate without any changes or modifications, run:
$certrequest = Get-ExchangeCertificate -Thumbprint <YourThumbprint> | New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable:$true
[System.IO.File]::WriteAllBytes('\\MS01\C$\temp\CertRenewal.req', [System.Text.Encoding]::Unicode.GetBytes($certrequest))

image

image

image

  • However, if you need to change any parameter example, add more domains, you can create a new CSR by running (Exchange 2016 and above):
$txtrequest = New-ExchangeCertificate -GenerateRequest -SubjectName "c=US,o=Woodgrove Bank,cn=mail.woodgrovebank.com" -DomainName autodiscover.woodgrovebank.com,mail.fabrikam.com,autodiscover.fabrikam.com

[System.IO.File]::WriteAllBytes('\\FileServer01\Data\woodgrovebank.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

Submit the CSR and download the certificate:

  • Open the CSR .req file and copy the contents and paste as below. The process may differ based on the CA (I'm using zeroSSL for a free 90 day certificate):

image

image

Import the certificate in Exchange

Import-ExchangeCertificate -FileData ([System.IO.File]::ReadAllBytes('\\MS01\C$\temp\certificat
e.crt')) -PrivateKeyExportable:$true -Password (ConvertTo-SecureString -String 'mypassword' -AsPlainText -Force)

image

image

Bind the certificate to the IIS and SMTP services

Enable-ExchangeCertificate -Thumbprint <NewThumbprint> -Services IIS,SMTP

image

image

image

Export the certificate

  • On the Exchange Server where you imported the certificate and completed the CSR, run:
$bincert = Export-ExchangeCertificate -Thumbprint D337A0CE4C49B88F0CDC9A52AE447904C075ADC2 -BinaryEncoded -Password (Get-Credential).password

[System.IO.File]::WriteAllBytes('C:\temp\mycertificate.pfx', $bincert.FileData)
  • Remember the password you put in the above command as it would be needed when you import the certificate on another server using:
Import-ExchangeCertificate -Server MS02 -FileData ([System.IO.File]::ReadAllBytes('\\FileServer01\Data\ExportedCert.pfx')) -Password (Get-Credential).password

Update the Send/Receive Connectors

$cert = Get-ExchangeCertificate -Thumbprint D337A0CE4C49B88F0CDC9A52AE447904C075ADC2

$tlscertificatename = "<I>" + $($cert.Issuer) + "<S>" + $($cert.Subject)

Set-SendConnector "Outbound to Office 365 - ca3bd31d-e12a-4bb6-820f-666ca3a9bd24" -TlsCertificateName $tlscertificatename

Set-ReceiveConnector "Default Frontend MS01" -TlsCertificateName $tlscertificatename

image

  • You may also update the Hybrid object using:
Set-HybridConfiguration -TlsCertificateName $tlscertificatename
Get-HybridConfiguration | fl *tls*

image

  • Additionally, restart the transport service and perform iisreset for the new certificate to be used for SMTP and IIS

Remove the old certificate(s)

Remove-ExchangeCertificate -Thumbprint EB287621198A3307EC3D5C177733A8491E86C9AD

image

image

Verify the new certificate

  • After doing an iisreset and restarting the browser, access ECP and verify the new certificate is getting reflected:

image

  • Verify the IIS bindings. Open IIS manager (inetmgr). Go to > Sites > Default Web Site and ensure all https port 443 have the new certificate updated:

image

  • Then verify the new certificate is being used for SMTP by analyzing the protocol logs on the send connector. Protocol logs will be stored at %ExchangeInstallPath%\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend. To confirm, run:
Get-TransportService | Select-Object Name, SendProtocolLogPath
  • If protocol logging is disabled, enable it first:
Set-SendConnector -Identity "Outbound to Office 365 - ca3bd31d-e12a-4bb6-820f-666ca3a9bd24" -Pr
otocolLoggingLevel verbose

image

REMEMBER to update the certificates on all the Exchange servers as well as the Load Balancer