locked
Exchange 2010 Certificate Renewal RRS feed

  • Question

  • Hi, Guys.

    Need your assistance on how to renew the certificate in an Exchange server 2010 if it is about to expire?

    How is the process/procedure? Would there be any outage while doing that? What is the possible impact on this on the clients? Please advise.

    Your inputs is much appreciated here.

    Thank you.

    BR,

    Irwin

    Friday, May 1, 2015 7:54 AM

Answers

  • Hi IrwinBats

    Based on my knowledge, renew an exchange certificate has no influence on the clients when taking the correct steps.

    You could use the EMC to renew an exchange certificate before  the due date of the certificate. Please take the following steps.

    1. In the console tree, click Server Configuration.

    2. Select the server that contains the certificate, and then select the certificate you want to renew.

    3. In the action pane, click Renew Exchange Certificate. On the Renew Exchange Certificate page, select the services you want to assign to the renewed certificate.

    4. When you click Assign, the Progress page will confirm your selections and try to renew the certificate. Make sure that you select at least the same services that you had in the previous certificate and finish the wizard.

    5.Click Yes to overwrite the existing certificate with the renewed certificate.

    In addiction , If you don’t need the expired certificate, use following commands to remove the old certificate:

    1. Run get-Exchangecertificate to list all the certificates.

    2. Find the thumbnail for the certificate you want to remove

    3.use Remove-Exchangecertificate to remove the expired certificate.

    Hope it’s helpful to you.

    Best Regards,

    David


    Tuesday, May 5, 2015 3:04 AM

All replies

  • Hi IrwinBats,

    Here's the official documentation for renewing a certificate in Exchange 2010, along with step-by-step instructions. Please let us know if this helps:

    https://technet.microsoft.com/en-GB/library/ee332322(v=exchg.141).aspx

    If done correctly, the users shouldn't notice any outage.


    Best regards,

    Please remember to mark the replies as helpful if they help, or as answers if they answer your question. Please also unmark the answers if they provide no help.

    Zach Roberts
    Independent Microsoft Community Support Advisor
    Disclaimer: I don't work for Microsoft. Any advice given is my own and does not represent Microsoft.

    Follow me on Twitter: @WindowsZach

    Friday, May 1, 2015 8:36 AM
  • I'll add to Zach's comment - you need to be sure you complete this work before the certificate expires, so you don't need to worry about last minute testing.  Also, for what it's worth, here's the documentation in en-US:  https://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx  I believe it's also available in other languages, if necessary.

    Friday, May 1, 2015 1:18 PM
  • Hi, Zach / Will. Good Day! Thank you for your reply and information. However, what I want is a comprehensive process together with the potential risk with it if not done properly. Ensuring that by doing this, it doesn't' create any outage on the clients. Further, what are the requirements to complete the task. Where do the certificate request and the actual certificate itself come into play? When to assign services to the renewed certificate? Is it okay not to remove the old, existing certificate if the renewed certificate is already in place as well? Does this create conflict between the two because they co-exist? Please advise Thank you. BR, Irwin
    Saturday, May 2, 2015 4:32 AM
  • The complete process and full list of requirements are in the links we sent.  In fact, the answers to most of your questions are outlined in that document.  The risk is that if you don't do this before the cert expires, your Exchange system will be inaccessible unless your users manually trust the expired cert each time they open their client.  If you don't wish to have an outage, you will need to remove your CASs individually from your load balancer and deploy the certificate to these (making sure to assign protocols to it and that they are removed from the old).  Once you have more than half updated, you will swap these for the ones still on the load balancer and deploy the certificate to the remaining ones.  Once done, place these back in the load balancer and your work is done.

    Once the new certificate is deployed and supporting all protocols, yes, you can safely delete the old certificate from the systems.  There won't be a conflict, though, since no protocols are assigned to the old certificate anymore.

    Monday, May 4, 2015 12:06 PM
  • Hi IrwinBats

    Based on my knowledge, renew an exchange certificate has no influence on the clients when taking the correct steps.

    You could use the EMC to renew an exchange certificate before  the due date of the certificate. Please take the following steps.

    1. In the console tree, click Server Configuration.

    2. Select the server that contains the certificate, and then select the certificate you want to renew.

    3. In the action pane, click Renew Exchange Certificate. On the Renew Exchange Certificate page, select the services you want to assign to the renewed certificate.

    4. When you click Assign, the Progress page will confirm your selections and try to renew the certificate. Make sure that you select at least the same services that you had in the previous certificate and finish the wizard.

    5.Click Yes to overwrite the existing certificate with the renewed certificate.

    In addiction , If you don’t need the expired certificate, use following commands to remove the old certificate:

    1. Run get-Exchangecertificate to list all the certificates.

    2. Find the thumbnail for the certificate you want to remove

    3.use Remove-Exchangecertificate to remove the expired certificate.

    Hope it’s helpful to you.

    Best Regards,

    David


    Tuesday, May 5, 2015 3:04 AM