SSL certificate just expired on Friday & I wasn't around...

Renewing SSL - I've renewed with the provider. Waiting for it to change From Expired status

just want to make sure I do update correctly

I've logged into ECP & my Cert is showing Expired

it also shows RENEW - do I simply click Renew to get a new CSR- does that base the cert of domain & services previously selected

or do I have to select services & domain names just like a new

Hi Chris,

as far as I know, renew is only when cert is not expired.

If you received the new certificate from your provider, then you can import it using ECP (... butoon on certificate page).

Then you will have to assign services to the new certificate.

Looking at godaddy's site there is no mention of Renewal

So I guess I need to Genereate a new CSR first domain names & Services ie. for a new cert

GoDaddy should have a place where you can renew the certificate. Perhaps you need to pay first then you get the option or you can call them - their technical support is very good and generally they resolve things within a few minutes while you are on the call. 

When they renew it, you have a few days where the two certificates will continue to work (the old and new) unless the old on expired already (in your case). On your GoDaddy SSL portal, you can download the new certificate and you need to import into the MMC certificate snapin on your CAS server. More info here: https://technet.microsoft.com/en-us/library/cc754489.aspx. Once done, ensure that you have the private key for the certificate (double click and you will see a key icon if you do and it'll say that you have the private key). If not, then you need to repair the certificate and you can do this by running: certutil -repairstore my "<Serial Number of certificate>".

Once done, use

Get-ExchangeCertificate | Fl

to find the thumbprint of the certificate you just imported then use 

Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxx -Services IIS,SMTP

to tell Exchange to use the new certificate for OWA, ActiveSync, SMTP/TLS etc. More info here: https://technet.microsoft.com/en-us/library/aa997231(v=exchg.150).aspx 

Once done, you can confirm the new certificate is in use by opening OWA and checking that errors are gone and also click the padlock in IE and confirm that the end date is as you expect.

Let me know if this answers your question. 

Thanks.

With GoDaddy I always create a new CSR. I never do a renew as I have seen problems with that not applying correctly.

The GoDaddy system will renew using the previous CSR, that isn't going to work because the pending request on your server is removed once the certificate is created, so you will need to get a new CSR anyway.

While the process posted above by Mark does work - it is rather a long way of doing it.

Unless you need to install the new intermediate certificates, just use the wizards in Exchange to install and enable the certificate. I haven't used EMS for this process since Exchange 2007 days.

Simon.

Agreed with Simon. You can do either GoDaddy renewal with the certutil repairstore command to re-attach the private key or generate a new CSR from GoDaddy then import into Exchange. You can either use PowerShell or EAC to generate the CSR. I prefer PowerShell because I have a record of all the commands I need and just script a lot of the work I do but if you prefer EAC then see here: https://www.digicert.com/csr-creation-microsoft-exchange-2013.htm.

Thanks for the useful info Simon.

Hi,

According to your description, it is a third party certificate requested from Godaddy.

You need to generate a new Certificate Signing Request to renew the certificate.

After receiving the cert, you need to install with the Import-ExchangeCertificate cmdlet.

Then Use Enable-ExchangeCertificate to assign services to the certificate.

More detailed information about renewing certificate, you can have a look at the below link:

http://social.technet.microsoft.com/wiki/contents/articles/28809.steps-to-perform-ssl-certificate-renewal-in-exchange-20102013.aspx

Regards,

David

• Proposed as answer by David Wang_Microsoft contingent staff, Moderator 5 hours 10 minutes ago

Hi,

According to your description, it is a third party certificate requested from Godaddy.

You need to generate a new Certificate Signing Request to renew the certificate.

After receiving the cert, you need to install with the Import-ExchangeCertificate cmdlet.

Then Use Enable-ExchangeCertificate to assign services to the certificate.

More detailed information about renewing certificate, you can have a look at the below link:

http://social.technet.microsoft.com/wiki/contents/articles/28809.steps-to-perform-ssl-certificate-renewal-in-exchange-20102013.aspx

Regards,

David

• Proposed as answer by David Wang_Microsoft contingent staff, Moderator Wednesday, September 09, 2015 2:14 AM

Hi,

According to your description, it is a third party certificate requested from Godaddy.

You need to generate a new Certificate Signing Request to renew the certificate.

After receiving the cert, you need to install with the Import-ExchangeCertificate cmdlet.

Then Use Enable-ExchangeCertificate to assign services to the certificate.

More detailed information about renewing certificate, you can have a look at the below link:

http://social.technet.microsoft.com/wiki/contents/articles/28809.steps-to-perform-ssl-certificate-renewal-in-exchange-20102013.aspx

Regards,

David

• Proposed as answer by David Wang_Microsoft contingent staff, Moderator Wednesday, September 09, 2015 2:14 AM

Hi,

How about the issue?

Please mark as helpful if you find any contribution useful or as an answer.

Regards,

David