Tuesday, September 19, 2017

Exchange Server 2016 SSL Certificate and its Renewal Methodology

MS Exchange Server works with its clients, servers and applications using n number of Networking Protocols i.e., HTTPS, IMAP, POP and SMTP. Most of the communication of clients and application has usernames and password-based authentication. When the credentials are sent in a network, it becomes prone to several attacks as it can be read by cyber offenders directly. Any other data transferred during a session is also vulnerable and can be intruded by hackers easily. Henceforth, to make the entire transmission secure, Exchange Server has SSL Certificates and its main purpose is to encrypt the traffic present on network in between server, client, and application. In this article, we will discuss Exchange Server 2016 SSL Certificate and its renew method.

When Microsoft Exchange Server 2016, is installed for the first time on a machine, it generates a self-signed SSL Certificate by default. Moreover, the SSL certificate is created by default on the server. When deploying the MS Exchange Server, the users need to change self-signed SSL Certificate with a valid SSL certification.

Requirements of Exchange Server 2016 SSL Certificates

There are only three basic necessities for deploying an SSL certificate in MS Exchange Server 2016.

1. Correct Domain and Server Names: SSL certificates must have the namespaces for matching names of the clients
2. Certificate Validity Period: Every SSL certificate comprises of a fixed time period in which it is considered to be valid. In case the SSL certificate is checked with the Expiry date, it needs to be renewed for continuing the work.
3. Trusted Authority of Certificate: Basically, the self-signed certificates have issues as they are not approved by a trusted authority. So, in this case you can go for a SSL certificate

Now, Renewal of the Exchange Certifications: 

For renewing the certifications, the users can make use of Exchange Admin Centre or Exchange Management Shell for renewing the Exchange Certifications. It includes both Self-signed and Issued by Certification Authority.

Note: The process is similar for both the certificates issued by internal Active Directory Certification or commercial one.

For making a renewal of certification, the users need to make Certificate Renewal Request and then forward it to CA. The CA reverts back with an actual certification file that is needed to be installed on MS Exchange Server. The process is completely identical as that of completion of a new certification request for installing a certificate on a server.

Renewing the Certificate Renewal Request from EAC

  • Open EAC and browse to Server>> Certificates
  • In select Server list, choose Exchange Server holding certificate you need to renew.
  • Every valid certification has a Renewal Link present in the details pane from where the certificates can be selected present on the list. 
  • For Renew Exchange Certification page that is open, save a certificate request to the file field. Enter UNC path along with the file name for certification renewal request file. i.e., \\FileServer01\Data\ContosoCertRenewal.req. When accomplished the task, click on OK button provided.

Usage of Exchange Management Shell  2016 for creation of Certificate Renewal Request for creating Certificate Authority

To make a certificate Renewal Request for the Certification Authority on Local Exchange Server 2016, follow the commands mentioned below:

Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate -GenerateRequest -RequestFile <FilePathOrUNCPath>\<FileName>.req

To figure out the Thumbprint Value of certificate you need to renew, run the command listed below:

Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

By using the example, users can create a certificate of the following properties:

Certificate to renew   5DB9879E38E36BCB60B761E29794392B23D1C054
RequestFile   \\FileServer01\Data\ContosoCertRenewal.req

Get-ExchangeCertificate -Thumbprint 5DB9879E38E36BCB60B761E29794392B23D1C054 | New-ExchangeCertificate -GenerateRequest -RequestFile \\FileServer01\Data\ContosoCertRenewal.req

Renewing An Exchange 2016 Self-Signed Certificate

While renewing an Exchange Self-Signed Certificate, the users can basically need to create a new certificate.

Use EAC for Renewing an Exchange Self-Signed Certificate

  • Open EAC>> Navigate to the Server and then Certificates
  • In Select Server list and then choose Exchange Server that retains certificate to be renewed
  • All the valid certificates comprises of Renew Link in details pane that is completely visible while selecting certificates from the present list. Select a certificate you need to renew and afterwards hit on Renew present in details pane.
  • On Renew Exchange Certificate page opens, verifies a read-only list of MS Exchange services that existing certificates are assigned to and finally click on OK Button.

By making Use of Exchange Management Shell for renewing an Exchange 2016 Self-Signed Certificate

For renewing a self signed certificate, make use of the syntax listed below:

Get-ExchangeCertificate -Thumbprint <Thumbprint> | New-ExchangeCertificate [-Force] [-PrivateKeyExportable <$true | $false>]

In case of finding thumbprint value of certificate to be renewed, make use of following command:

Get-ExchangeCertificate | where {$_.IsSelfSigned -eq $true} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

Listed Below is an example that renews self-signed certificate on a local Exchange Server 2016 by making use of the following settings:

There is a thumbprint value for an Existing Self-Signed Certificate to Renew i.e., BC37CBE2E5467BAAD7D02FEAYR1234556F3E

Force Switch replaces original self-signed certification without making use of a confirmation prompt

Private keys can be exported. It allows the users with an export certificate option and you can import it on any other server.

Get-ExchangeCertificate -Thumbprint BC37CBE2E5467BAAD7D02FEAYR1234556F3E | New-ExchangeCertificate -Force -PrivateKeyExportable $true

In case, Exchange Server 2016 shows errors due to database corruption then there’s a reliable & trustworthy tool available which perform Exchange database recovery without any data loss.


The above-mentioned article solely declares that the method is completely user friendly and the users can rely on it for renewing Certification in Exchange Server 2016. So, completely follow it and keep yourself updated. 


Post a Comment

Post a reply