Renew SSL Certificate on Exchange Server

How to Renew SSL Certificate on Exchange Server?

When you install Microsoft Exchange 2016/2013, an SSL certificate is automatically generated to protect connections between clients and the server. Usually, the first SSL certificate is issued exactly for one year. When this certificate expires, users see a message with the following warning when starting Outlook:

The security certificate has expired or is not yet valid

renew exchange certificate

You can renew the certificate or release a new one through the ECP/EAC GUI (Exchange Admin Center) or using the PowerShell cmdlets from the Exchange Management Shell.

Next, we will show the steps for renewing the Exchange certificate using the ECP interface and then share similar EMS commands.

Renew Exchange Certificate from Exchange Admin Center

Open the Exchange control panel by going to the following URL:


First, you need to generate a certificate renewal request. Go to the Server > Certificate section. Select an expired certificate and click the Renew button. Save the certificate renewal file (.req) to a shared network folder.

exchange renew ssl certificate

The status of the certificate in the EAC will change to Pending Request.

Submit the req file for certificate renewal to your Certification Authority (external or internal CA). Based on your request, certificate manager should generate a certificate and return you a new .cer file.

Select your certificate in the EAC console and click Complete.

exchange renew self signed certificate

Specify the UNC path to your certificate file in the shared network folder and click OK.

Now you need to assign (reassign) a certificate to Exchange services (usually IMAP, POP, IIS).

renew exchange certificate step by step

It remains to restart IIS on the Exchange server with the command:


The certificate status in the Exchange console should change to Valid.

You can export the new certificate to other Exchange servers. To do this, export the certificate into the .pfx format (it contains the private key, so use a cryptographic password to protect cert file). Import the certificate on the destination Exchange servers.

Renew Exchange Server Certificate Using PowerShell

Display the full list of Exchange certificates and copy the ThumbPrint of the certificate you want to renew.

Get-ExchangeCertificate | C:\ExchangeCertThumbPrint.txt

For example, your certificate ThumbPrint is 1234512345123451234512345123451234512345.

Use the following PowerShell command to create renewal request for your certificate and save it on a shared folder:

Get-ExchangeCertificate -Thumbprint 1234512345123451234512345123451234512345| New-ExchangeCertificate -GenerateRequest -RequestFile "\your_exch_srv_name\share\renewcert.req" -PrivateKeyExportable:$true

After receiving a new certificate from CA, complete the certificate request:

Import-ExchangeCertificate -FileName “\your_exch_srv_name\share\company_new_sslcert.cer" -PrivateKeyExportable:$true

Now enable this certificate for the required Exchange services:

Enable-ExchangeCertificate –Thumbprint 9519495194951949519495194951949519495194 –Services "IIS, SMTP, POP, IMAP"

It remains only to restart IIS on your Exchange server:

Restart-Service W3SVC

You may also like:

Add Calendar Permissions in Office 365 via PowerSh... This is a tutorial on how to add calendar permissions in Office 365 for your users via PowerShell. You can add the permissions on a specific user’s ma...
How to Get List of Installed Programs in Windows 1... In this simple guide, we will show you two different ways of how to get a list of installed programs in Windows 10, 8 or Windows 7 using built-in comm...
How to copy files with BITS using PowerShell? If you use local (and global) networks, you might know that files between systems are transferring by using SMB, FTP or HTTP protocols. The problem wi...
Removing Old and Unused Drivers from Driver Store ... Each time you install or update your device driver, Windows OS (since Vista) continues to store the old version of the driver in the system Driver Sto...
Time Configuration for a Virtualized Domain Contro... Today we will talk about some of the features of time configuration on a virtualized domain controllers. Typically, the time synchronization scheme in...

Add Your Comment