How to renew Public Certificates in Exchange Server 2013/2016

Share this:

The process to renew Public Certificates in Exchange Server 2013/2016 is simple and you can get over with in less than 30 minutes. We are going to demonstrate how to renew a Public Certificate using Digicert on this Tutorial.

We are a Digicert partner, and if you are looking for an Exchange Server Public Certificate, please use this link.

Solution


An administrator will know when a certificate is about to expire for several reasons, nowadays Digicert will call you and send you a message, and also Exchange Admin Center will have an alert informing that a certificate is about to expire.

image

The first step is to click on Servers, and then certificates. Select the certificate that is about to expire and click on Renew located on the right side.

image

In the new page, type in the UNC location to save the request file. This share should have permission to Exchange Trusted Subsystem group.

Note: If you don’t have that file share created to support Exchange Server 2013/2016, the following Tutorial will provide all details: http://itprocentral.com/creating-a-shared-folder-exutil-to-support-exchange-server-2013-eac/

image

A new entry will be added under certificates, and it will have the status of Pending request.

image

The result of that operation will be a new file on the path that we specified. The next step is to open the file using notepad and copy the entire content, that information will be used to request the renew of the certificate on the Public Certificate Authority.

image

Certificate Renew at Public Certificate interface…

In this Tutorial we are covering the steps using Digicert, if you are not a customer you may have something similar with your certificate partner.

In the main page, click on Orders, and click on your order that is about to expire.

image

In the new page, scroll down and click on Renew under Other Order Management Actions section.

image

In the new page, scroll down to Name(s) to Secure section, and select the option (Optional) I would like to provide my CSR and auto-fill names now.

image

 

In the new page, paste the content of the request file that we created at the beginning of this Tutorial and click on Continue twice. Complete the wizard entering your payment information and additional information that may be required.

image

 

Wait a few moments, and the new certificate will be available under My Orders. Click on Download.

image

 

In the Download Certificate section. Just click on download and save the file on the same location (UNC location) where we saved the request previously.

image

Both files request and renewed certificates will be listed on that folder.

image

Finishing up the renew on Exchange Server 2013/2016..

After requesting the certificate renew, working on the Digicert/Public CA site, and getting the renewed certificate back, the last step is to complete the configuration on Exchange Server side.

In order to do that, select the certificate that is being shown as Pending Request, and click on complete.

image

A new page will be displayed, type in the UNC location including the file and extension and click on OK.

image

Now the renewed certificate should show as Valid instead of Pending request. It is easy to spot the renewed certificate using the Expires On column. Click on the renewed certificate and click on edit

image

The final step is to click on Services and select IIS and click on save.

Note: If you use the certificate for other services, please select those services. You may use the old certificate as baseline to configure the renewed one.

image

In order to refresh the settings and make sure that the new certificate is in use we can use the iisreset and start doing tests with the new certificate.

image

That is the entire process from A to Z to renew a certificate using Exchange Server 2013 and the same procedure applies to Exchange Server 2016.

A few notes from the field:

  • If you have more than one server, complete the renew in one selected server, and after that just export/import the certificate
  • After the process is complete and you have the first server with the renewed certificate, the administrator can delete the .cer and .req file created initially
  • Avoid using IIS and Certificates MMC to manage Exchange Server 2013/2016 certificate. Just go there if you know what you are doing however you don’t need that to manage your certificates

Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at ITPROCentral.com, MSExchange.org, Techgenix.com and Anderson Patricio.org (Portuguese).

Related Post

Backing up Exchange Mailbox databases with eseutil... In this Tutorial we are going to use eseutil utility to create a backup of a mounted mailbox database. The steps described here are useful when you ne...
Managing mailbox audit feature in Exchange Server ... In this Tutorial we are going over the process to manage mailbox audit in Exchange Server 2013. Solution Exchange Server has a feature that can be ...
How to remove the last Exchange Server 2013 from t... In a few situations you may want to remove the last Exchange Server 2013 and the setup process will give you a hard time for the Arbitration Mailboxes...
Mailbox ‘xyz’ has a completed move request associa... That is a simple error but sometimes it shows up in our Community Forums,  basically we cannot move a mailbox if  we have any previous move request as...