locked
Self-signed certificates "Microsoft Exchange" and "Microsoft Exchange Server Auth Certificates" have expired RRS feed

  • Question

  • Good day!
    I have a Mailbox server EX02 (Exchange 2013) and a CAS server EX03 (Exchange 2013) and an old Mailbox server EX01 (Exchange 2007).
    On servers EX02 (Exchange 2013) and EX03 (Exchange 2013), the self-signed certificates "Microsoft Exchange" and "Microsoft Exchange Server Auth Certificates" have expired.
    I from the EAC Management Console in the GUI under Servers / Certificates performed Renew for each certificate for EX02 and EX03 servers. After that, the certificates were successfully extended for 5 years.
    Are these operations sufficient for the mail servers to work?
    Do I need to perform any other actions on the servers or clients with these new certificates?
    Monday, July 20, 2020 10:25 PM

Answers

  • Good day!
    I have a Mailbox server EX02 (Exchange 2013) and a CAS server EX03 (Exchange 2013) and an old Mailbox server EX01 (Exchange 2007).
    On servers EX02 (Exchange 2013) and EX03 (Exchange 2013), the self-signed certificates "Microsoft Exchange" and "Microsoft Exchange Server Auth Certificates" have expired.
    I from the EAC Management Console in the GUI under Servers / Certificates performed Renew for each certificate for EX02 and EX03 servers. After that, the certificates were successfully extended for 5 years.
    Are these operations sufficient for the mail servers to work?
    Do I need to perform any other actions on the servers or clients with these new certificates?

    No that is not sufficient.

    For the "Microsoft Exchange" cert see this for steps required after renewing it:

    https://ehloergosum.com/2020/01/25/renewing-that-pesky-microsoft-exchange-certificate/

    For the "Microsoft Exchange Server Auth Certificate"

    see:https://byronwright.blogspot.com/2018/05/expired-microsoft-exchange-server-auth.html

    • Marked as answer by KPN_ Tuesday, July 28, 2020 9:58 AM
    Friday, July 24, 2020 8:52 PM

All replies

  • Hi,

    Yes, your steps are right to renew the self-signed certificate, as the official document give the guidance below

    Renew an Exchange self-signed certificate

    If you meet error after renewing the certificate, you will need to check the bindings of the certidficate in IIS manager like this article mentioned: Blank Page Screen After Login In ECP / OWA of Exchange 2016, 2013, 2010 Environment

    In addition, if you are using Exchange inside and outside your organization, it is suggested using a 3rd party certificate from a trusted CA. A related thread here discussed the similar thread for your reference as well: Renewing Self signed SMTP certificate MIcrosoft Exchange 2013

    Please Note: Since the web sites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    This Exchange Server 2013 - Administration, Monitoring, and Performance Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Joyce Shen


    Microsoft Online: Migration and Coexistence forum will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Tuesday, July 21, 2020 2:51 AM
  • Hi,

    Do suggestions above help? If you have any questions or needed further help on this issue, please feel free to post back. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.

    This Exchange Server 2013 - Administration, Monitoring, and Performance Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Joyce Shen


    Exchange Server 2013 - Administration, Monitoring, and Performance Forum will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Friday, July 24, 2020 8:37 AM
  • Good day!
    I have a Mailbox server EX02 (Exchange 2013) and a CAS server EX03 (Exchange 2013) and an old Mailbox server EX01 (Exchange 2007).
    On servers EX02 (Exchange 2013) and EX03 (Exchange 2013), the self-signed certificates "Microsoft Exchange" and "Microsoft Exchange Server Auth Certificates" have expired.
    I from the EAC Management Console in the GUI under Servers / Certificates performed Renew for each certificate for EX02 and EX03 servers. After that, the certificates were successfully extended for 5 years.
    Are these operations sufficient for the mail servers to work?
    Do I need to perform any other actions on the servers or clients with these new certificates?

    No that is not sufficient.

    For the "Microsoft Exchange" cert see this for steps required after renewing it:

    https://ehloergosum.com/2020/01/25/renewing-that-pesky-microsoft-exchange-certificate/

    For the "Microsoft Exchange Server Auth Certificate"

    see:https://byronwright.blogspot.com/2018/05/expired-microsoft-exchange-server-auth.html

    • Marked as answer by KPN_ Tuesday, July 28, 2020 9:58 AM
    Friday, July 24, 2020 8:52 PM
  • Hello!

    The article Blank Page Screen After Login In ECP / OWA of Exchange 2016, 2013, 2010 Environment was very helpful. This situation actually occurs when the Microsoft Exchange certificate is renewed. Thank!

    But renewing the "Microsoft Exchange Server Auth Certificate" requires additional steps as Andy David pointed out in his answer.
     


    • Edited by KPN_ Tuesday, July 28, 2020 10:11 AM
    Tuesday, July 28, 2020 10:08 AM
  • Hello!

    Thank! I updated the "Microsoft Exchange Server Auth Certificate" as in the article https://byronwright.blogspot.com/2018/05/expired-microsoft-exchange-server-auth.html.

    I confirm that it works!

    I'll add it myself. It is better to renew the certificate"Microsoft Exchange Server Auth Certificate"from the EAC, rather than using the command "Get-ExchangeCertificate -Thumbprint <thumbprint> | New-ExchangeCertificate"
    Tested in practice.

    If you have several Exchage servers, then you need to renew the certificate  "Microsoft Exchange Server Auth Certificate"  from EAC only on one server, not on each. Next, replicate the new certificate to all servers Exchange as described in the proposed article https://byronwright.blogspot.com/2018/05/expired-microsoft-exchange-server-auth.html.

    The certificate "Microsoft Exchange Server Auth Certificate" must be the same on all servers.
    If executed renew
    "Microsoft Exchange Server Auth Certificate" from EAC on each server, different certificates will be generated.






    • Edited by KPN_ Tuesday, July 28, 2020 11:13 AM
    Tuesday, July 28, 2020 10:10 AM