Replace my current Exchange Certificate

Hi Guys!

I Have two Multi-role Exchange Server 2013 (CAS/MBX) and my current certificate that has "webmail.domain.com" as SAN will expire soon.

I have another certificate that is Wildcard and i need to know, how can i replace my current certificate for my WildCard Certificate??

During the Certificate change, my users will have not access to my Exchange Server?

Th

July 12th, 2015 7:31pm

Hi,

You can run the following command to check your certificate settings on Exchange server:

Get-ExchangeCertificate | fl

You should add "webmail.domain.com" into the  new certificate.

Then please run the below command to assign the services to the new certificate.

Enable-ExchangeCertificate -Server 2013 -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'XXXXXXXXXXXXXXXXXXXXXXXXXX'

Based on my knowledge, your users will have some connection issue when accessing to my Exchange Server during the Certificate change.

For more information about replacing certificate , please refer to the below link:

https://support2.microsoft.com/default.aspx?scid=kb;en-us;Q295281  

Regards,

David


Free Windows Admin Tool Kit Click here and download it now
July 12th, 2015 10:51pm

My new certificate is wildcard, i can skip this step, right?

The process is:

1 - Import a new certificate on my 2 Exchange Servers using EAC

2 - Assign the services to the new certificate using powershell or EAC

3 - What i do with my old certificate that still not expired??

Thank you very much!!

July 12th, 2015 11:00pm

Hi Julio,

The steps you mentioned are correct.

Once you assign the services to the new certificate, it will automatically overwrite the old certificate services, hence you don't have to worry about it. Normally we would keep the certificate there itself for sometime and Delete it from EAC later.

[You can't remove the certificate that's being used. If you want to replace the default certificate for the server with another certificate that has the same fully qualified domain name (FQDN), you must create the new certificate first, and then remove the old certificate.]

Just to confirm, you have requested the new wildcard certificate from the EAC and import steps are also from EAC only right.

Nice guide for "SSL Certificate Installation for Exchange 2013"

https://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2013.htm

Also the service disruption will be very short(Assignment step). But if you have the namespace loadbalanced with 2 servers, you can do this one by one. Without users noticing the c

Free Windows Admin Tool Kit Click here and download it now
July 13th, 2015 5:30am

I need to request a new certificate through EAC? My customer only sent me the existing .cer

Thanks for your answers and for have patience.

July 13th, 2015 1:37pm
I think that if i have a Wildcard certificate (.cer) i won't need to generate a new request because i will not select services in CSR, right?
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2015 2:10pm

You have to install the services, I don't necessarily think you need to go through a csr (unless you don't have a wild card cert already). Just try importing via the GUI.

July 13th, 2015 2:58pm

Hi Julio,

As Hinte said, using the EAC to generate the cert is not mandatory, its just a good practice and easy to follow.

Free Windows Admin Tool Kit Click here and download it now
July 14th, 2015 3:24am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics