The process to renew Public Certificates in Exchange Server 2013/2016 is simple and you can get over with in less than 30 minutes. We are going to demonstrate how to renew a Public Certificate using Digicert on this Tutorial.
We are a Digicert partner, and if you are looking for an Exchange Server Public Certificate, please use this link.
An administrator will know when a certificate is about to expire for several reasons, nowadays Digicert will call you and send you a message, and also Exchange Admin Center will have an alert informing that a certificate is about to expire.
The first step is to click on Servers, and then certificates. Select the certificate that is about to expire and click on Renew located on the right side.
In the new page, type in the UNC location to save the request file. This share should have permission to Exchange Trusted Subsystem group.
Note: If you don’t have that file share created to support Exchange Server 2013/2016, the following Tutorial will provide all details: http://itprocentral.com/creating-a-shared-folder-exutil-to-support-exchange-server-2013-eac/
A new entry will be added under certificates, and it will have the status of Pending request.
The result of that operation will be a new file on the path that we specified. The next step is to open the file using notepad and copy the entire content, that information will be used to request the renew of the certificate on the Public Certificate Authority.
Certificate Renew at Public Certificate interface…
In this Tutorial we are covering the steps using Digicert, if you are not a customer you may have something similar with your certificate partner.
In the main page, click on Orders, and click on your order that is about to expire.
In the new page, scroll down and click on Renew under Other Order Management Actions section.
In the new page, scroll down to Name(s) to Secure section, and select the option (Optional) I would like to provide my CSR and auto-fill names now.
In the new page, paste the content of the request file that we created at the beginning of this Tutorial and click on Continue twice. Complete the wizard entering your payment information and additional information that may be required.
Wait a few moments, and the new certificate will be available under My Orders. Click on Download.
In the Download Certificate section. Just click on download and save the file on the same location (UNC location) where we saved the request previously.
Both files request and renewed certificates will be listed on that folder.
Finishing up the renew on Exchange Server 2013/2016..
After requesting the certificate renew, working on the Digicert/Public CA site, and getting the renewed certificate back, the last step is to complete the configuration on Exchange Server side.
In order to do that, select the certificate that is being shown as Pending Request, and click on complete.
A new page will be displayed, type in the UNC location including the file and extension and click on OK.
Now the renewed certificate should show as Valid instead of Pending request. It is easy to spot the renewed certificate using the Expires On column. Click on the renewed certificate and click on edit
The final step is to click on Services and select IIS and click on save.
Note: If you use the certificate for other services, please select those services. You may use the old certificate as baseline to configure the renewed one.
In order to refresh the settings and make sure that the new certificate is in use we can use the iisreset and start doing tests with the new certificate.
That is the entire process from A to Z to renew a certificate using Exchange Server 2013 and the same procedure applies to Exchange Server 2016.
A few notes from the field:
- If you have more than one server, complete the renew in one selected server, and after that just export/import the certificate
- After the process is complete and you have the first server with the renewed certificate, the administrator can delete the .cer and .req file created initially
- Avoid using IIS and Certificates MMC to manage Exchange Server 2013/2016 certificate. Just go there if you know what you are doing however you don’t need that to manage your certificates