A step-by-step Guide on how to renew an Exchange certificate in 7 steps

If you’re an Exchange administrator managing a client’s server, chances are that certificate renewal is something you have to deal with regularly. Unfortunately, as specific software environments change and evolve, renewing certificates can become more complex when approaching new expiration dates or implementing changes.
In this blog post, weāre going to explore how to renew an exchange certificate in 2023 in easy-to-follow steps.
Starting with Exchange Server 2019 CU11, issuing a certificate request using the ECP web interface is no longer possible. The only way to renew Exchange certificate is by using Powershell.
‘Please use cmdlets for renewing certificate.’ is the text in the ECP
However, renewing the Exchange certificate with Powershell is not difficult. I put together a step-by-step guide.
My certificate authority provider, ssls.com will only issue a certificate for one year, but I paid for three years. If you still have the certificate request file from last year, there is no need to create a new one. In that case, you can skip steps 1 and 2.
Step 1
Find out what the thumbprint is of the certificate you need to renew
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

Step 2
Create a certificate request file and save it on the local drive.
$txtrequest = Get-ExchangeCertificate -Thumbprint 1C002FCFD9F1EFAEB30B288A631BDACD47BA0F47 | New-ExchangeCertificate -GenerateRequest
[System.IO.File]::WriteAllBytes('C:\Certs\Cert2023\CertRenewal.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))
Replace the text in blue.
You should get a CertRenewal.reg file at the location specified. Open it with notepad, and you will see ***begin new certificate request*** has been created.
Step 3
Copy the contents to your certificate authority provider. I’m using ssls.com for my Exchange Server 2019 certificate. As part of the process, you can choose for which web server the certificate should be processed. Choose Windows Server or IIS.
Step 4
The SSL authority provider will request domain verification. Usually, there are two ways, by email or by TXT DNS record. It’s up to you what you choose. I like using the email verification process.
I bought a Positive SSL certificate for multiple domains. I received for each domain a verification email. All I had to do was to visit the website specified in the verification email and paste the verification code. I bought the certificate for three domains, so I received three emails.
Usually, you cannot choose to which email address you want to get the verification email sent. In my case, some email IDs with the domain were suggested. Normally, there are hostmaster@, webmaster@, or admin@. Since I’m an Exchange administrator, I add the email address to my normal email ID as an alias. A simple solution. š
After completing the verification process, you will receive an email with the certificate as a ZIP file.
renewed Servers
The products are refurbished, fully functional, and in excellent condition.
- Item Package Dimension: 36.0L X 24.0W X 8.0H Inches
- Item Package Weight – 48.0 Pounds
- Item Package Quantity – 1
- Product Type – Computer
- Enterprise Proliant DL380 G9 8-Bay 2.5″ Server
- 2x E5-2660v3 10-Core CPU (20 Cores Total)
- 192GB DDR4 Memory
- P440AR RAID controller
- 8x 600GB 2.5″ SAS 10K
Step 5
Copy the ZIP file to the Exchange Server and extract it. It’s time to import the certificate to the certificate store. Type ‘certmgr’ in the Windows search field and start ‘manage computer certificates

Right-click certificate under Personal, and click ‘All task’ import; Store Location is.’Local Machine’. Browse to the location where you have saved the extracted certification and import the one with the ending p7b.
The certification should appear in the right pane. I recommend assigning a ‘friendly name’ to the certificate, but this is optional. Right-click the certificate and properties.

Step 6
Bind the new certificate to IIS
Start IIS manager, select ‘Default Web site’, Bindings

Step 7 (Last)
Restart IIS and also restart the ‘Microsoft Exchange Transport’ service. If you can even better to restart the server.
The new certificate should appear in the Exchange Admin Center (ECP) with the friendly name you have given. All done!
Many Exchange tasks are performed today by Powershell. The Webbui ECP is only for simple tasks like creating or modifying a user mailbox. See also my separate article about giving mailbox permission using Powershell. It is much easier than visiting the user’s desk and doing it manually in Outlook.
Conclusion
In conclusion, renewing an Exchange certificate in 2023 is an essential and often overlooked task. Exchange administrators must take the necessary steps to ensure a successful renewal process. By following the step-by-step guide provided above, Exchange administrators will be better equipped to handle the complexities of this task. With proper preparation and diligence, administrators can rest assured that their certificates will stay valid and up-to-date.
To renew an Exchange certificate with Powershell is not a big deal and usually doesn’t take longer than 30 minutes.
Did you like this step-by-step guide? Please let me know in the comment section below or contact me by email [email protected].
Hi,
just tried to follow this on my exchange server. 2019 cu12.
it does not work .
step 1 & 2 are fine and you get pending appear in EAC although you need alot of the parts are missing from csr for ppl like SSL dragon. CN , ON , CN etc
you cant import the cert using certmgr / iis manager.
it has to be done with exchange shell.