You know the one I am taking about. The self-signed certificate with a friendly name of “Microsoft Exchange” that each server issues by itself to itself. They are valid for 5 years , then suddenly, they are not. When on-premises was king, you rarely saw any questions about these. They just worked – and as companies upgraded, new ones were created on the new version servers, mailboxes were moved and the old certificates disappeared as the servers were retired.
Today, as more migrate to Exchange Online, these old 2010/2013 servers seem to be kept around longer during the migration, frozen in time and are now bumping into that 5 year certificate lifetime.
So why renew it? It doesn’t appear to be doing anything. Well Sir or Madam, that is the certificate bound to the “Exchange Back End” IIS site and essentially secures all the internal communications.
If it expires, you could start experiencing the following side effects:
Exchange Powershell errors
Errors in the event logs such as :
See that :444? That’s the backed port number
NOTE: Some have mentioned in the comments below that these steps also removed the IIS service from the public SSL certificate. To fix: Once done: Reassign IIS to the public cert…In other words, the 3rd party certificate clients use to connect to Exchange…
First, simply renew the certificate. You can do this in Powershell or EAC by highlighting the “Microsoft Exchange” certificate and clicking Renew.
Second, you’ll want the server itself to trust this new self-signed certificate. Nicely enough, the original Exchange setup program does this for you. When you renew the self-signed certificate, not so much. Once that new certificate is created, open MMC and add the Certificates snap-in on that server. From there, choose the “Computer Account” and then “Local Computer”.
Copy the new certificate from Personal/Certificates to Trusted Root Certificate Authorities/Certificates. If you access the properties on the new certificate and go to the “Certification Path” tab, it should show as OK.
Third, add the new certificate to the Back-end Binding and run IISRESET.
From the article I first linked above. Do the following:
- Start IIS Manager on the Mailbox Server.
- Expand Site, highlight Exchange Back End, and select Bindings from the Actions pane in the right side column.
- Select Type https on Port 444.
- Click Edit and select the Microsoft Exchange certificate.
- From an administrator command prompt, run IISReset. ( Do this off-hours if this a standalone Exchange Server. If you are using a DAG, then move all the databases to other servers and have at it)
You’ll go from this:
You are done for another 5 years.