none
Enterprise CA Certificates renewal impact on Exchange 2013 services RRS feed

  • Question

  • Hi everyone.

    We have an internal CA based on windows server 2008 and its certificate will expire soon, we issued a certificate to the exchange 2013 server multirole instance and this certificate also will expires soon.

    I wanted to know the impact of renewing the exchange certificate and / or the internal CA certificate on the exchange services that are running using it IIS, Exchange Actyve Sync , IMAP ... and should I have to re-activate all syncronyzed phones in the company if I renew the exchange certificate? or they will have no impact .

    Please help as its critical to our busness.

    Monday, April 27, 2020 9:58 AM

Answers

  • Thanks fot the replay and help.

    But my question becomes specificly about Exchange Active Sync , sice we have managers phones syncronized with our exchange server, so if the certificate is renewed, the thimbprint will be changed, in this case do I have to re-create a synchronization account in all the phones? or the new certificate will be renewed automaticly in the phones?

    Thanks 

    If you were using a 3rd party cert, then it wouldnt be an issue. As I mentioned above, its not about the thumbprint, its about the trust. If the devices do not trust this new cert then it will throw an error.

    • Marked as answer by AKCHIRED Saturday, May 2, 2020 7:08 AM
    Friday, May 1, 2020 10:48 AM
    Moderator

All replies

  • Hi everyone.

    We have an internal CA based on windows server 2008 and its certificate will expire soon, we issued a certificate to the exchange 2013 server multirole instance and this certificate also will expires soon.

    I wanted to know the impact of renewing the exchange certificate and / or the internal CA certificate on the exchange services that are running using it IIS, Exchange Actyve Sync , IMAP ... and should I have to re-activate all syncronyzed phones in the company if I renew the exchange certificate? or they will have no impact .

    Please help as its critical to our busness.

    As long as its trusted by the clients, it will be fine. Using an internal CA is not recommended however because of the trust and mgmt  issues. I assume its trusted now

    Monday, April 27, 2020 11:22 AM
    Moderator
  • Hi AKCHIRED,

    Agree with what Andy said, as long as the certificate is from a trusted authority and all the correct names in specified, there should be no impact.

    For detailed steps about renewing the certificate please refer to the official document:

    Renew an Exchange Server certificate

    You can also check the differences between the three types here: Digital certificates overview

    Regards, 

    Joyce Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, April 28, 2020 5:38 AM
  • Hi,

    Do suggestions above help? If you have any questions or needed further help on this issue, please feel free to post back. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.

    Regards,

    Joyce Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, May 1, 2020 1:00 AM
  • Thanks fot the replay and help.

    But my question becomes specificly about Exchange Active Sync , sice we have managers phones syncronized with our exchange server, so if the certificate is renewed, the thimbprint will be changed, in this case do I have to re-create a synchronization account in all the phones? or the new certificate will be renewed automaticly in the phones?

    Thanks 

    Friday, May 1, 2020 9:50 AM
  • Thanks fot the replay and help.

    But my question becomes specificly about Exchange Active Sync , sice we have managers phones syncronized with our exchange server, so if the certificate is renewed, the thimbprint will be changed, in this case do I have to re-create a synchronization account in all the phones? or the new certificate will be renewed automaticly in the phones?

    Thanks 

    If you were using a 3rd party cert, then it wouldnt be an issue. As I mentioned above, its not about the thumbprint, its about the trust. If the devices do not trust this new cert then it will throw an error.

    • Marked as answer by AKCHIRED Saturday, May 2, 2020 7:08 AM
    Friday, May 1, 2020 10:48 AM
    Moderator
  • Thanks for the replay, but another problem that comes out, is my enterprise (private) CA certificate has expired and I tryed to renew it using the console and keeping the same key pair but the process gives nothing and the certificate remains with the same expiry date.

    Please help

    Saturday, May 2, 2020 7:08 AM
  • Thanks for the replay, but another problem that comes out, is my enterprise (private) CA certificate has expired and I tryed to renew it using the console and keeping the same key pair but the process gives nothing and the certificate remains with the same expiry date.

    Please help

    You may want to ask this specific Cert Question in the Windows Security Forum

    https://social.technet.microsoft.com/Forums/en-US/home?forum=winserversecurity

    Saturday, May 2, 2020 10:51 AM
    Moderator
  • Hi AKCHIRED,

    Are you using the command like below to renew your certificate?

    Get-ExchangeCertificate -Thumbprint 5DB9879E38E36BCB60B761E29794392B23D1C054 | New-ExchangeCertificate -GenerateRequest -RequestFile \\FileServer01\Data\ContosoCertRenewal.req

    To verify that you have successfully created a certificate renewal request for a certification authority, perform either of the following steps:

    In the EAC at Servers > Certificates, verify the server where you stored the certificate request is selected. The request should be in the list of certificates with the Status value Pending request.

    Check the request file path, whether the new request file is generated there, then you will need to use the code in that file to apply for the new certificate from your CA.

    Regards, 

    Joyce Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, May 5, 2020 7:34 AM
  • Hi,

    Is there any update about your issue?

    Regards,

    Joyce Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, May 12, 2020 8:27 AM