How to Renew SSL Certificate on Exchange Server?

When you install Microsoft Exchange 2016/2013, an SSL certificate is automatically generated to protect connections between clients and the server. Usually, the first SSL certificate is issued exactly for one year. When this certificate expires, users see a message with the following warning when starting Outlook:

The security certificate has expired or is not yet valid

renew exchange certificate

You can renew the certificate or release a new one through the ECP/EAC GUI (Exchange Admin Center) or using the PowerShell cmdlets from the Exchange Management Shell.


Next, we will show the steps for renewing the Exchange certificate using the ECP interface and then share similar EMS commands.

Renew Exchange Certificate from Exchange Admin Center

Open the Exchange control panel by going to the following URL:


First, you need to generate a certificate renewal request. Go to the Server > Certificate section. Select an expired certificate and click the Renew button. Save the certificate renewal file (.req) to a shared network folder.

exchange renew ssl certificate

The status of the certificate in the EAC will change to Pending Request.

Submit the req file for certificate renewal to your Certification Authority (external or internal CA). Based on your request, certificate manager should generate a certificate and return you a new .cer file.

Select your certificate in the EAC console and click Complete.

exchange renew self signed certificate

Specify the UNC path to your certificate file in the shared network folder and click OK.

Now you need to assign (reassign) a certificate to Exchange services (usually IMAP, POP, IIS).


renew exchange certificate step by step

It remains to restart IIS on the Exchange server with the command:


The certificate status in the Exchange console should change to Valid.

You can export the new certificate to other Exchange servers. To do this, export the certificate into the .pfx format (it contains the private key, so use a cryptographic password to protect cert file). Import the certificate on the destination Exchange servers.

Renew Exchange Server Certificate Using PowerShell

Display the full list of Exchange certificates and copy the ThumbPrint of the certificate you want to renew.

Get-ExchangeCertificate | C:\ExchangeCertThumbPrint.txt

For example, your certificate ThumbPrint is 1234512345123451234512345123451234512345.

Use the following PowerShell command to create renewal request for your certificate and save it on a shared folder:

Get-ExchangeCertificate -Thumbprint 1234512345123451234512345123451234512345| New-ExchangeCertificate -GenerateRequest -RequestFile "\\your_exch_srv_name\share\renewcert.req" -PrivateKeyExportable:$true

After receiving a new certificate from CA, complete the certificate request:

Import-ExchangeCertificate -FileName “\\your_exch_srv_name\share\company_new_sslcert.cer" -PrivateKeyExportable:$true

Now enable this certificate for the required Exchange services:

Enable-ExchangeCertificate –Thumbprint 9519495194951949519495194951949519495194 –Services "IIS, SMTP, POP, IMAP"

It remains only to restart IIS on your Exchange server:

Restart-Service W3SVC
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

One comment

  1. I have a certificate that is expiring in a week. I have followed your steps about a 4th time now but for some reason, the new certificate I installed remains on “Pending Request” status no matter how many times I click “Complete” and follow the steps.

    Am I doing something wrong? Should I remove my currently active certificate?

    Thank You

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.