How to … Renew Certificates in Exchange Server 2010

In Today’s post we are going over the process to renew a Certificate in Exchange Server 2010.

For this blog post I’m going to use Digicert and you can use the same link during the renew process.

Before starting the process I would like to go over a few key points that may help you during your renew process:

  • You should renew before the due date of the certificate. Let’s say that your certificate is going to expire 1 month from now, you can start renewing your servers in your pace before the due date without any issues;
  • In a multiple server environment, you can have servers using the old certificate and the renewed one without any issues
  • You are deploying a new certificate as result of this blog post, so make sure that you check the Intermediate and Certificate Chain of the new certificate
  • If you receive a red icon when adding your new certificate, then you need to work on the intermediate CAs to make sure that certificate is valid before assigning services to it
  • If you are using SCOM probably you will be informed that your certificate is about to expire. That is a good indication to start preparing your renew process.

Step 01:  Identifying your current certificates…

Using Exchange Management Console, we can click on Server Configuration and after selecting the desired server all certificates will be listed.


Step 02: Renewing the Certificate

Let’s right click on the certificate that is about to expire and then click on Renew Exchange Certificate..


In the Renew Exchange Certificate page. Define a file that will contain the renew request (.req extension) and click on Renew.

In the Completion page. We will have a summary of the cmdlet that will be used to renew the certificate, let’s click on Finish.


As result of that new request a new entry will be listed and on the Status column we will see This is a pending certificate signing request.


Step 03: Completing the request

Now that we have a new request we need to follow these basic steps, as follows:

  1. Log  on Digicert web page (of any other Public CA that you have)
  2. Click on Renew  in your existent certificate
  3. In the second step of the wizard make sure that you select the option that you have a CSR and on the new dialog box select which version of Exchange Server you are using (in our post Today is Exchange Server 2010) and then paste the content of the CSR generated in the previous step


The new request will be submitted and you will receive in your e-mail (or the administrator e-mail) the new certificate confirmation. Download that file and extract on the Exchange Server where we created the new request (Step 01 and Step 02).

Step 04: Completing the Renew process

Now that we have the new cert, let’s right click on the pending request and let’s click on Complete pending request…


In the Introduction page. Click Browse and select the .cert file that was provided by your Public Key Certification Authority (in our case Digicert) and click Complete. In the Completion page.


In the Completion page. Just click on Finish.


Step 05: Assigning services to the renewed certificate

Finally, the last step of our journey to renew a certificate. Now that the certificate shows on the list, we can right click on it and then select Assign services to Certificate…


In the Select Services. Make sure that you select at least the same services that you had in the previous certificate and finish the wizard.


After that you can access the services of Exchange and the certificate should be the new one (just check the validation of the certificate). A good test is to open Outlook Web App and check the initial page of the certificate properties (the figure below if from Office365 Smile)