renew Exchange certificate

If you’re an Exchange administrator managing a client’s server, chances are that certificate renewal is something you have to deal with regularly. Unfortunately, as specific software environments change and evolve, renewing certificates can become more complex when approaching new expiration dates or implementing changes.

This blog post will explore how to renew exchange certificate (or exchange zertifikat in German) in 2023 in easy-to-follow steps.

Starting with Exchange Server 2019 CU11, issuing a certificate request using the ECP web interface is no longer possible. The only way to renew Exchange certificate is by using Powershell.

However, renewing the Exchange certificate with Powershell is not tricky. I put together a step-by-step guide.

My certificate authority provider, will only issue a certificate for one year, but I paid for three years. If you still have the certificate request file from last year, creating a new one is unnecessary. In that case, you can skip steps 1 and 2.

Step 1

Find out what the thumbprint is of the certificate you need to renew

Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
Exchange Certificate thumbprint
Exchange certificate thumbprint

Step 2

Create a certificate request file and save it on the local drive.

$txtrequest = Get-ExchangeCertificate -Thumbprint 1C002FCFD9F1EFAEB30B288A631BDACD47BA0F47 | New-ExchangeCertificate -GenerateRequest
[System.IO.File]::WriteAllBytes('C:\Certs\Cert2023\CertRenewal.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

Replace the text in blue.

You should get a CertRenewal.reg file at the location specified. Open it with Notepad, and you will see ***begin new certificate request*** has been created.

Step 3

Copy the contents to your certificate authority provider. I’m using for my Exchange Server 2019 certificate. As part of the process, you can choose for which web server the certificate should be processed. Choose Windows Server or IIS.

Step 4

The SSL authority provider will request domain verification. Usually, there are two ways: by email or TXT DNS record. It’s up to you what you choose. I like using the email verification process.

I bought a Positive SSL certificate for multiple domains. I received a for each domain a verification email. All I had to do was to visit the website specified in the verification email and paste the verification code. I bought the certificate for three domains, so I received three emails.

Usually, you cannot choose which email address you want to get the verification email sent to. In my case, some email IDs with the domain were suggested. Normally, there are hostmaster@, webmaster@, or admin@. Since I’m an Exchange administrator, I add the email address to my normal email ID as an alias. A simple solution. 🙂

After completing the verification process, you will receive an email with the certificate as a ZIP file.

Step 5

Copy the ZIP file to the Exchange Server and extract it. It’s time to import the certificate to the certificate store. Type ‘certmgr’ in the Windows search field and start ‘manage computer certificates

Windows certificate store
Windows certificate store

Right-click certificate under Personal, and click ‘All task’ import; Store Location is.’Local Machine’. Browse to the location where you have saved the extracted certification and import the one with the ending p7b.

The certification should appear in the right pane. I recommend assigning a ‘friendly name’ to the certificate, but this is optional. Right-click the certificate and properties.

Exchange certificate friendly name
Friendly name for the certificate

Step 6

Bind the new certificate to IIS

Start IIS manager, select ‘Default Web site’, Bindings

IIS bind certificate
IIS – Bind certificate

Step 7 (Last)

Restart IIS and restart the ‘Microsoft Exchange Transport’ service if you can even better restart the server.

The new certificate should appear in the Exchange Admin Center (ECP) with the friendly name you have given. All done!

Many Exchange tasks are performed today by Powershell. The Webbui ECP is only for simple tasks like creating or modifying a user mailbox. See also my separate article about giving mailbox permission using Powershell. It is much easier than visiting the user’s desk and doing it manually in Outlook.

Did you like this step-by-step guide? Please let me know in the comment section below or email me at [email protected].

Before you go …

If you’ve just updated your Exchange certificate as detailed in the renew Exchange certificate post, it might be a good time to consider putting your Exchange Server into maintenance mode. This precaution can help you avoid service disruptions and ensure all systems are running smoothly. Check out how to do this effectively in the Exchange Server in maintenance mode guide. This follow-up read is particularly useful for maintaining optimal server performance and security post-update.

Full Disclosure

Any purchases made from clicks on links to products on this page may result in an affiliate commission for me. 

Please keep in mind that the quantity or price of items can change at any time.

As an Amazon  Associate, I earn from qualifying purchases.

As an Aliexpress Associate, I earn from qualifying purchases. 

Als Amazon-Partner verdiene ich an qualifizierten Verkäufen

Tech Expert & Blogger

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.