A step-by-step Guide on how to renew an Exchange certificate in 7 steps


renew Exchange certificate

If you’re an Exchange administrator managing a client’s server, chances are that certificate renewal is something you have to deal with regularly. Unfortunately, as specific software environments change and evolve, renewing certificates can become more complex when approaching new expiration dates or implementing changes.

In this blog post, we’re going to explore how to renew an exchange certificate in 2023 in easy-to-follow steps.

Starting with Exchange Server 2019 CU11, issuing a certificate request using the ECP web interface is no longer possible. The only way to renew Exchange certificate is by using Powershell.

‘Please use cmdlets for renewing certificate.’ is the text in the ECP

Meet Charlie AI

Go Charlie AI dog

The Best AI Content Creator

The Alternative to ChatGPT

However, renewing the Exchange certificate with Powershell is not difficult. I put together a step-by-step guide.

My certificate authority provider, ssls.com will only issue a certificate for one year, but I paid for three years. If you still have the certificate request file from last year, there is no need to create a new one. In that case, you can skip steps 1 and 2.


Step 1

Find out what the thumbprint is of the certificate you need to renew

Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
Exchange Certificate thumbprint
Exchange certificate thumbprint

Step 2

Create a certificate request file and save it on the local drive.

$txtrequest = Get-ExchangeCertificate -Thumbprint 1C002FCFD9F1EFAEB30B288A631BDACD47BA0F47 | New-ExchangeCertificate -GenerateRequest
[System.IO.File]::WriteAllBytes('C:\Certs\Cert2023\CertRenewal.req', [System.Text.Encoding]::Unicode.GetBytes($txtrequest))

Replace the text in blue.

You should get a CertRenewal.reg file at the location specified. Open it with notepad, and you will see ***begin new certificate request*** has been created.


Step 3

Copy the contents to your certificate authority provider. I’m using ssls.com for my Exchange Server 2019 certificate. As part of the process, you can choose for which web server the certificate should be processed. Choose Windows Server or IIS.


Step 4

The SSL authority provider will request domain verification. Usually, there are two ways, by email or by TXT DNS record. It’s up to you what you choose. I like using the email verification process.

I bought a Positive SSL certificate for multiple domains. I received for each domain a verification email. All I had to do was to visit the website specified in the verification email and paste the verification code. I bought the certificate for three domains, so I received three emails.

Usually, you cannot choose to which email address you want to get the verification email sent. In my case, some email IDs with the domain were suggested. Normally, there are hostmaster@, webmaster@, or admin@. Since I’m an Exchange administrator, I add the email address to my normal email ID as an alias. A simple solution. 🙂

After completing the verification process, you will receive an email with the certificate as a ZIP file.


renewed Servers

The products are refurbished, fully functional, and in excellent condition.

Dell PowerEdge R720 Server 2X E5-2690 2.90Ghz 16-Core 192GB H710 (Renewed)
  • Item Package Dimension: 36.0L X 24.0W X 8.0H Inches
  • Item Package Weight – 48.0 Pounds
  • Item Package Quantity – 1
  • Product Type – Computer
Sale
Enterprise Proliant DL380 G9 Server | 2X E5-2660v3 20 Cores | 192GB | P440 | 8X 600GB (Renewed)
  • Enterprise Proliant DL380 G9 8-Bay 2.5″ Server
  • 2x E5-2660v3 10-Core CPU (20 Cores Total)
  • 192GB DDR4 Memory
  • P440AR RAID controller
  • 8x 600GB 2.5″ SAS 10K

Step 5

Copy the ZIP file to the Exchange Server and extract it. It’s time to import the certificate to the certificate store. Type ‘certmgr’ in the Windows search field and start ‘manage computer certificates

Windows certificate store
Windows certificate store

Right-click certificate under Personal, and click ‘All task’ import; Store Location is.’Local Machine’. Browse to the location where you have saved the extracted certification and import the one with the ending p7b.

The certification should appear in the right pane. I recommend assigning a ‘friendly name’ to the certificate, but this is optional. Right-click the certificate and properties.

Exchange certificate friendly name
Friendly name for the certificate

Step 6

Bind the new certificate to IIS

Start IIS manager, select ‘Default Web site’, Bindings

IIS bind certificate
IIS – Bind certificate

Step 7 (Last)

Restart IIS and also restart the ‘Microsoft Exchange Transport’ service. If you can even better to restart the server.

The new certificate should appear in the Exchange Admin Center (ECP) with the friendly name you have given. All done!

Many Exchange tasks are performed today by Powershell. The Webbui ECP is only for simple tasks like creating or modifying a user mailbox. See also my separate article about giving mailbox permission using Powershell. It is much easier than visiting the user’s desk and doing it manually in Outlook.


Conclusion

In conclusion, renewing an Exchange certificate in 2023 is an essential and often overlooked task. Exchange administrators must take the necessary steps to ensure a successful renewal process. By following the step-by-step guide provided above, Exchange administrators will be better equipped to handle the complexities of this task. With proper preparation and diligence, administrators can rest assured that their certificates will stay valid and up-to-date.

To renew an Exchange certificate with Powershell is not a big deal and usually doesn’t take longer than 30 minutes.

Did you like this step-by-step guide? Please let me know in the comment section below or contact me by email [email protected].

Full Disclosure

Any purchases made from clicks on links to products on this page may result in an affiliate commission for me. 

Please keep in mind that the quantity or price of items can change at any time.

As an Amazon  Associate, I earn from qualifying purchases.

As an Aliexpress Associate, I earn from qualifying purchases. 

Als Amazon-Partner verdiene ich an qualifizierten Verkäufen

One Comment

  1. Hi,
    just tried to follow this on my exchange server. 2019 cu12.
    it does not work .
    step 1 & 2 are fine and you get pending appear in EAC although you need alot of the parts are missing from csr for ppl like SSL dragon. CN , ON , CN etc
    you cant import the cert using certmgr / iis manager.
    it has to be done with exchange shell.

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.