Renewing self-signed certificates in Exchange 2010 and Exchange 2007

by Bharat Suneja on January 28, 2008

Exchange 2010 and Exchange 2007 Setup creates a self-signed certificate for the server to protect communication with services like SMTP, IMAP, POP, IIS and UM. In Exchange 2007, the certificate is issued for a period of one year. 

In Exchange 2010, the certificate validity period is raised to five years.

The self-signed certificate meets an important need – securing communication paths for Exchange services by default. This is a great development – it ensures that data will not be transferred in the clear by default and all communication is encrypted.

Nevertheless, one should treat these certificates as temporary. Although self-signed certificates work perfectly well for internal SMTP communication between Hub Transport servers, and between Hub Transport and Edge Transport servers, it’s not recommended to use them for any client communication on an ongoing basis. For most deployments, you will end up purchasing a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).

Self-signed certificates are great for securing communication by default and handy for test environments. For client communication in production environments, it’s recommended to use certificates signed by a trusted CA.

Should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these will need to be renewed when they expire — just as you would renew certificates from 3rd-party or in-house CAs.

 

This command renews the certificate for server e12postcard.e12labs.com, a server with CAS and HT roles installed:

Get-ExchangeCertificate -domain “e12postcard.e12labs.com” | fl

Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate.

Get a new certificate with a new expiration date:

Get-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F” | New-ExchangeCertificate

If the existing certificate is being used as the default SMTP certificate, you will get the following prompt. The default SMTP certificate is used to encrypt SMTP sessions between transport servers in your organization.

Confirm Overwrite existing default SMTP certificate,

‘C5DD5B60949267AD624618D8492C4C5281FDD10F’ (expires 8/22/2008 7:20:34 AM), with certificate ’3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E’ (expires 1/28/2009 7:37:31 AM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is “Y”):

Type y to continue. A new certificate is generated.

Thumbprint Services Subject
———- ——– ——-
3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E ….. CN=E12Postcard

The new certificate is generated and enabled. Examine the new certificate:

Get-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” | fl

 

The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – IIS is missing.

You can enable the certificate for IIS (in addition to any other services it may already be enabled for — it adds to existing values of the certificate’s Services property).

To enable the certificate for IIS:

Enable-ExchangeCertificate -thumbprint “3DA55740509DBA19D1A43A9C7161ED2D0B3B9E3E” -services IIS

Test services are working with the new certificate. If it works as expected, you can remove the old certificate using the EMC or the Remove-ExchangeCertificate cmdlet from the Shell:

Remove-ExchangeCertificate -thumbprint “C5DD5B60949267AD624618D8492C4C5281FDD10F”

Related posts: