Microsoft Exchange: Renew internal backend certificate

In Microsoft Exchange on-prem, there is an internal certificate that is bound to the back-end web site. This certificate is self-signed and valid for 5 years. It is called

Micorosoft Exchange

The subject of the certificate is the server name itself. Find below the procedure to renew this certificate. It does not matter if the certificate is already expired or still valid.

Start the Exchange Management Shell

Get the thumbprint of the current certificate:

Get-ExchangeCertificate | where {$_.FriendlyName -like "Microsoft Exchange"} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

Create the new Exchange Certificate, by using the thumbprint you got from the step before:

Get-ExchangeCertificate -Thumbprint "C52645622195BA8AB837962923764B3F767466AE" | New-ExchangeCertificate -Force -PrivateKeyExportable $false

Copy the certificate to the Trusted Root Certification Authorities store, so it is trusted on the server (by using certlm.msc).

In IIS Manager, make sure that the new certificate is bound to the Backend and the third-party certificate is bound to the Default web site.

From EAC remove the old "Microsoft Exchange" certificate

From certlm.msc, under Trusted Root Certification Authorities, remove the old certificate

This is it. You should now be good for the next 5 years.

There is another self-signed Exchange certificate. If you need to renew that one, use this procedure:

Renew Microsoft Exchange Server Auth Certificate

Leave a Reply

Your email address will not be published. Required fields are marked *