locked
Exchange 2013 - Front-End and Back-End Website/IIS Certificate RRS feed

  • Question

  • We have two Exchange Server 2013 which are multi-role servers.

    Server-1 has following certificates.

    Thumbprint         : A2AA96BEA74E6B3D5DAB5A52FFF2D75E7026E1FC
    Services           : IMAP, POP, IIS, SMTP
    NotAfter           : 11/12/2021 10:00:00 PM
    Subject            : CN=www.mycompany.com, OU=Information Technology, O="My Company Name", L=MyCity, C=XX, SERIALNUMBER=D-16293, OID.1.3.6.1.4.1.311.60.2.1.3=XX,
                         OID.2.5.4.15=Private Organization
    CertificateDomains : {www.mycompany.com, mycompany.com, gr-pxchange2.mycompany.com, mail.mycompany.com, gr-pxchange1.mycompany.com, portal.mycompany.com}
    
    Thumbprint         : 2303BAA721D9C61EBF74676712CC0CB91004C9D4
    Services           : SMTP
    NotAfter           : 7/24/2024 4:28:36 PM
    Subject            : CN=Microsoft Exchange Server Auth Certificate
    CertificateDomains : {}
    
    Thumbprint         : F448FE8BB6F7CA0FBD13C2606491CF51E76C2507
    Services           : SMTP
    NotAfter           : 8/21/2020 3:46:13 AM
    Subject            : CN=MYCOMPANY.com, CN=mycompany.com
    CertificateDomains : {MYCOMPANY.com}
    
    Thumbprint         : E75202DBB5652624E2E09BA0161C03CA25B9009C
    Services           : IIS, SMTP
    NotAfter           : 8/21/2020 1:03:46 AM
    Subject            : CN=GR-PXCHANGE1
    CertificateDomains : {GR-PXCHANGE1, GR-PXCHANGE1.MYCOMPANY.com}
    
    Thumbprint         : DD1E57B2FA5BCFA2E5F668EE2A26167DADB9DC4B
    Services           : None
    NotAfter           : 8/18/2025 12:38:54 AM
    Subject            : CN=WMSvc-GR-PXCHANGE1
    CertificateDomains : {WMSvc-GR-PXCHANGE1}

    (1) certificate is a multi-SAN and actively bind to IMAP, POP, IIS, SMTP services. In IIS, this is cert bind to "Default Web Site" which is Front-end.

    (2) cert I believe was created during Exchange setup, its showing assigned to SMTP. Can I remove it?

    (3) cert is also showing assigned to SMTP. Can I remove it?

    (4) cert is bind to "Exchange Back End" website in IIS. From ECP, its showing assigned to both SMTP and IIS. If I renew it from ECP, then its going to be reassigned to same services again - is that correct? Or should I just renew/reissue it from IIS (not from ECP) and bind the new certificate from IIS?

    (5) cert is showing not assigned to any service but its valid for next 5 years. Can I remove it too?

    Any suggestion will be appreciated. Thank you.

    Thursday, July 23, 2020 5:34 AM

All replies

  • Usually Exch operates with 2 certificates - one (ordinary commercial) is assigned for Front-End and using by SMTP, IIS, POP, IMAP, another one (self-signed) is assigned for Back-End. But don't recommend delete another certs you have mentioned. 
    Thursday, July 23, 2020 6:08 AM
  • The back-end one (2) is expiring in about a month time. Its also showing assigned to IIS and SMTP. So If I renew it from ECP will it cause any issue with the services because the same services have (1) certificate which is front-end and commercial cert.
    Thursday, July 23, 2020 8:37 AM
  • Hi spark53,

    Removing the (2) (3) certificates may not cause an OWA or Outlook issue, everything still working fine, except you will find multiple Error12014 in Event Viewer, which requires you to manually modify the fqdn for all send connectors and receive connectors. However there may be some built-in connectors hard to change the settings, then you need to recreate those connectors.

    For detailed information, see this blog:https://markgossa.blogspot.com/2015/11/exchange-2013-2016-can-you-delete-self-signed-certificate.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    (4)By default we use the "Microsoft Exchange" certificate for backend bindings and it's recommended not to change it, why you are using this one? 

    (5)The wmsvc certificate is used by the Web Management service in IIS to enable remote management of the web server and its associated web sites and applications.

    If you remove this certificate, the Web Management service will fail to start if no valid certificate is selected. 

    This Exchange Server 2013 - Administration, Monitoring, and Performance Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Eric Yin


    Microsoft Online: Migration and Coexistence forum will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Friday, July 24, 2020 6:38 AM
  • Hi, I'm here to confirm with you if your issue has been resolved. If the problem is successfully solved, you can share your solution and mark them or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

    This Exchange Server 2013 - Administration, Monitoring, and Performance Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Eric Yin


    Microsoft Online: Migration and Coexistence forum will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Friday, July 31, 2020 7:59 AM