When you install Microsoft Exchange 2016/2013, an SSL certificate is automatically generated to protect connections between clients and the server. Usually, the first SSL certificate is issued exactly for one year. When this certificate expires, users see a message with the following warning when starting Outlook:
The security certificate has expired or is not yet valid
You can renew the certificate or release a new one through the ECP/EAC GUI (Exchange Admin Center) or using the PowerShell cmdlets from the Exchange Management Shell.
Next, we will show the steps for renewing the Exchange certificate using the ECP interface and then share similar EMS commands.
Renew Exchange Certificate from Exchange Admin Center
Open the Exchange control panel by going to the following URL:
First, you need to generate a certificate renewal request. Go to the Server > Certificate section. Select an expired certificate and click the Renew button. Save the certificate renewal file (.req) to a shared network folder.
The status of the certificate in the EAC will change to Pending Request.
Submit the req file for certificate renewal to your Certification Authority (external or internal CA). Based on your request, certificate manager should generate a certificate and return you a new .cer file.
Select your certificate in the EAC console and click Complete.
Specify the UNC path to your certificate file in the shared network folder and click OK.
Now you need to assign (reassign) a certificate to Exchange services (usually IMAP, POP, IIS).
It remains to restart IIS on the Exchange server with the command:
The certificate status in the Exchange console should change to Valid.
You can export the new certificate to other Exchange servers. To do this, export the certificate into the .pfx format (it contains the private key, so use a cryptographic password to protect cert file). Import the certificate on the destination Exchange servers.
Renew Exchange Server Certificate Using PowerShell
Display the full list of Exchange certificates and copy the ThumbPrint of the certificate you want to renew.
Get-ExchangeCertificate | C:\ExchangeCertThumbPrint.txt
For example, your certificate ThumbPrint is 1234512345123451234512345123451234512345.
Use the following PowerShell command to create renewal request for your certificate and save it on a shared folder:
Get-ExchangeCertificate -Thumbprint 1234512345123451234512345123451234512345| New-ExchangeCertificate -GenerateRequest -RequestFile "\\your_exch_srv_name\share\renewcert.req" -PrivateKeyExportable:$true
After receiving a new certificate from CA, complete the certificate request:
Import-ExchangeCertificate -FileName “\\your_exch_srv_name\share\company_new_sslcert.cer" -PrivateKeyExportable:$true
Now enable this certificate for the required Exchange services:
Enable-ExchangeCertificate –Thumbprint 9519495194951949519495194951949519495194 –Services "IIS, SMTP, POP, IMAP"
It remains only to restart IIS on your Exchange server: