Need to replace expired Self Assigned Certificate
I need to replace or renew an expired self assigned cert on an exchange server..... I believe that I will also need to export the cert and and the private key to import it into the Trusted Root Certification Authorities of this as well as another Exchange
server. I just want to verify what I am thinking is correct as well as the procedure.
To get the thumbprint of the expired certificate
Get-ExchangeCertificate | FL
To create a new certificate with exportable private key
Get-ExchangeCertificate -thumbprint thumbprint | New-ExchangeCertificate -PriveateKeyExportable $true
Overwrite existing default SMTP certificate - y
To enable IIS service on the new certification
Enable-ExchangeCertificate -thumbprint thumbprint -services IIS
If I understand the process, these steps should create and activate the new certificate which will be present on the local exchange server under the Console Root>Certificated(Local Computer)>Certificates> Personal>Certificates. I would still
need to export the certificate to file and import it into the Trusted Root Certification Authorities on both local and remote servers. I would also need to remove the expired certs from all locations on both servers.
Am I on the right tract here?
August 6th, 2012 1:38pm
Yup that is fine, you can also renew by doing get-exchangecertificate |new-exchangecertificate or you can just do your method. However if you do this method and you didnt set the original cert as exportable than just go ahead and do your method. Yes you
will have to import it into the trusted root store of the other servers. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
August 6th, 2012 5:57pm
If you see the Event ID 12015 on the Exchange server, please also refer to following Technet article:
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Exchange&ProdVer=8.0&EvtID=12015&EvtSrc=MSExchangeTransport&LCID=1033 Frank Wang
TechNet Community Support
August 7th, 2012 4:52am
Checking syntax for export and import:
Export Certificate?
Export-ExchangeCertificate -Thumbprint thumbprint -Path c:\certificates\mycert.pfx
Import Certificate - on all Exchange Servers?
Import-ExchangeCertificate -Path c:\certificates\mycert.pfx
Anything else I need to be aware of?just another Steve
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2012 12:04pm
Hi Steve,
Please see the "User Action" section in the link I provided::
If this warning occurred on a Hub Transport server, you must create the internal transport certificate on the Hub Transport server where the warning occurred. After you have created the certificate, restart the Microsoft Exchange EdgeSync service to
update the certificate information on the Edge Transport servers that are subscribed to the organization.
If this warning occurred on an Edge Transport server, you must create the internal transport certificate on the Edge Transport server where the warning occurred. After you have created the certificate, resubscribe the Edge Transport server to the Exchange
organization to update the certificate information in Active Directory.
If you are not running the Microsoft Exchange EdgeSync service, you must manually update the certificate.Frank Wang
TechNet Community Support
August 7th, 2012 9:26pm
Checking syntax for export and import:
Export Certificate?
Export-ExchangeCertificate -Thumbprint thumbprint -Path c:\certificates\mycert.pfx
Import Certificate - on all Exchange Servers?
Import-ExchangeCertificate -Path c:\certificates\mycert.pfx
Anything else I need to be aware of?
just another Steve
I can't come up with any good reason to export the Self-Signed Certficate on one server and try to import it on another.
What are you trying to accomplish here?Martina Miskovic
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 1:11am
Hi Frank,
I'm not seeing the Event ID 12015 on either of the Exchange servers. The Microsoft Exchange EdgeSync service is running on both servers.....just another Steve
August 8th, 2012 9:28am