Exchange Geek's Weblog

I'm a Geek!

How to renew a self signed certificate in Exchange Server 2007

Posted by Milind Naphade on 24/04/2009

When a new Exchange Server 2007 role is installed on a computer the server automatically generates a self signed certificate to be used with services like transport (SMTP), POP,  IIS (OWA and Exchange Web Services) and IMAP. This certificate expires right after the completion of one  year from the date server was installed or the certificate was reassigned manually. To check the status of the certificate using Exchange Management Shell. Executing the cmdlet Get-ExchangeCertificate |FL displays all relevant information about all the certificates assigned, enabled and being used or not used by Exchange Services.


You may see more than one certificate listed on your exchange server(s) and that may be simply because you or someone else from your team have already tried working with certificates on the server.

If you see the above picture, you will notice that the certificate I have on my server is valid till 24th March 2010. NotAfter holds the value in mm/dd/yyyy h:mm:ss format. NotAfter – means this certificate will not be valid after the time stamp listed in this field. On the other hand the value NotBefore – means that this certificate will not be valid before the time stamp mentioned.

So once you cross the date listed in field NotAfter the certificate becomes invalid and indeed may open up doors to many other troubles like connectivity to web services, SMTP transport, POP and IMAP retrieval, etc. To renew the certificate you can simply run a cmdlet and get a new self signed certificate. But, this is just not as simple as simply running a cmdlet and get a new certificate, there is a procedure to do it. Check the following steps:

1. Run Get-ExchangeCertificate |FL – This will list details of all certificates that you have assigned to Exchange Services. Please understand, this cmdlet does not retrieve any information about any other certificate from local certificate store which is not used by Exchange. Once you get the output printed on the screen; note down the Thumbprint of certificate into a notepad.

2. Run Get-ExchangeCertificate –Thumbprint “58C846DEEA2865CA9E6DD4B42329A9AC994EBF63” | New-ExchangeCertificate . This renews the certificate. You will notice the moment you press enter on keyboard you may be prompted to confirm if you want to use the same certificate for SMTP service.


3. Check if the certificate is renewed. This can be simply examined by looking at the changes in thumbprint of the certificate after running the cmdlet mentioned in step 2. You can see the changed thumbprint in below picture.


4. Looking correctly to the above picture you will also notice that the certificate is not being used to secure IIS based services anymore though the NotAfter and NotBefore dates have changed. To enable this renewed certificate for IIS as well run Enable-ExchangeCertificate – Thumbprint “E0BB201793DC74D0F94F3275E6AA53BA75907565” –Services IIS

5. Verify all the services are working correctly after renewing and enabling the certificate.

6. Remove old certificate by running Remove-ExchangeCertificate –Thumbprint “58C846DEEA2865CA9E6DD4B42329A9AC994EBF63”


12 Responses to “How to renew a self signed certificate in Exchange Server 2007”

  1. […] utilization for Exchange Web Services and other IIS integrated exchange services. (You may refer Permanent Link to How to renew a self signed certificate in Exchange Server 2007 for renewal of […]

  2. Jack said

    Steps are shown very clear.
    Thank you very much. It was very useful. I updated my self SSL very easily.


  3. Ash said

    That’s pretty much there, all you missed is under service you need iis,smtp,pop,imap

  4. Thank you for your valuable comment Ash. If you look at the last screen shot the services are already there and the last paragraph also explained that IIS is missing because we have overwritten the existing certificate and needed to be assinged manually.

  5. giangvh said

    Thanks for your interesting post but something i was not clear in my case. i have 3 CAS, 3 Hub Transports and 1 Edge Transport. all of them was installed on separate server and used self-sign certificate. can u tell me what important things I have to consider when renew those certificate? can u guide me step by step to renew certificate for Hub, Edge, CAS?
    Thank you so much

  6. Hello,
    This procedure is for renewing the certificates on any server role. As far as renewing the self certificates are concernred you can follow this blog post, that pretty much of it.

  7. giangvh said

    i agree all steps for renew cert on Hub, Cas but if you renew self-signed certificate on Edge Transport you have to do some additional steps:
    – after renew self-sign certificate on edge you have to re-subscribe edge sync in following:
    + new-EdgeSubscription -file “C:\subscription.xml
    + copy this file to Hubtransport
    + Orgnization Configuration>Hub Transport> Creat New Edge Subscription –> browser to this file
    + Test-edgeSynchronization
    – every things is ok if result’s of test command was success

  8. Altaf said

    pretty good step by step guide.

    Now I am struck in one problem. If I search in exchange server 2007 for updated certificate file. i could only see the old certificate file. How do I get ? Do I need to generate the file

  9. Hi Altaf,

    I am glad that the guide was helpful to you. Do you see the new certificate after your run Get-ExchangeCertificate command in powershell?

  10. Mottl Gregor said


    how i could make a cert with exportable private key?

    Get-ExchangeCertificate –Thumbprint “58C846DEEA2865CA9E6DD4B42329A9AC994EBF63” | New-ExchangeCertificate -privatekeyexportable $True

    would this work??


  11. @Mottl, please refer the article on how to export the certificate. Exchange self-signed certificate is already marked with private key exportable, so by extension you dont need to use the -privatekeyexportable during the certificate renewal. Also, when you renew the cretificate using above steps, all properties and extended properties are renewed based on the information from previous certificate. I hope that helps.

  12. […] This entry was posted in Exchange and tagged certificate, Exchange, self-signed. Bookmark the permalink. ← AV protection is meant to help, not hurt! Exchange creating an abnormally large number of transaction logs → […]

Sorry, the comment form is closed at this time.

%d bloggers like this: