Renewing that pesky “Microsoft Exchange” certificate

  

 You know the one I am taking about. The self-signed certificate with a friendly name of “Microsoft Exchange” that each server issues by itself to itself. They are valid for 5 years , then suddenly, they are not. When on-premises was king, you rarely saw any questions about these. They just worked – and as companies upgraded, new ones were created on the new version servers, mailboxes were moved and the old certificates disappeared as the servers were retired.

Today, as more migrate to Exchange Online, these old 2010/2013 servers seem to be kept around longer during the migration,  frozen in time and are now bumping into that 5 year certificate lifetime.

So why renew it? It doesn’t appear to be doing anything. Well Sir or Madam, that is the certificate bound to the “Exchange Back End”  IIS site and essentially secures all the internal communications. 

undefined

If it expires, you could start experiencing the following side effects:

Dizziness

Dry Mouth

Exchange Powershell errors

Inability to open EAC

Errors in the event logs such as :

event log errors

See that :444? That’s the backed port number 

To fix: 

NOTE: Some have mentioned in the comments below that these steps also removed the IIS service from the public SSL certificate. To fix: Once done: Reassign IIS to the public cert…In other words, the 3rd party certificate clients use to connect to Exchange…

First, simply renew the certificate. You can do this in Powershell or EAC by highlighting the “Microsoft Exchange” certificate and clicking Renew.

Second, you’ll want the server itself to trust this new self-signed certificate. Nicely enough, the original Exchange setup program does this for you. When you renew the self-signed certificate, not so much. Once that new certificate is created, open MMC and add the Certificates snap-in on that server. From there, choose the “Computer Account” and then “Local Computer”. 

Copy the new certificate from Personal/Certificates to Trusted Root Certificate Authorities/Certificates. If you access the properties on the new certificate and go to the “Certification Path” tab, it should show as OK.

Third, add the new certificate to the Back-end Binding and run IISRESET.

From the article I first linked above. Do the following:

  • Start IIS Manager on the Mailbox Server.
  • Expand Site, highlight Exchange Back End, and select Bindings from the Actions pane in the right side column.
  • Select Type https on Port 444.
  • Click Edit and select the Microsoft Exchange certificate.
  • From an administrator command prompt, run IISReset. ( Do this off-hours if this a standalone Exchange Server. If you are using a DAG, then move all the databases to other servers and have at it)

You’ll go from this:

PickCertBindings

To this:

BackEndUpdated

You are done for another 5 years. 

Published by adavid6

Grumpy Old Exchange MVP. My old site was lost: https://web.archive.org/web/20180307110652/http://no-one-uses-email-anymore.com/ I have been an Exchange MVP since 2002. I also had the honor of naming “You had me at EHLO” for the Exchange Product Group Blog way back in the early 2000s. I attempt to answer forum questions on TechNet: https://social.technet.microsoft.com/profile/andy%20david/ and can be found on Twitter: https://twitter.com/adavid6 Reddit: https://www.reddit.com/user/adavid1608 Microsoft Tech Community: https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/86

12 thoughts on “Renewing that pesky “Microsoft Exchange” certificate

  1. Absolutely perfect article, I spoke to MS twice to ensure I didn’t create an outage, sure enough their process was way off. I followed the above article and it worked perfectly. Thank you!

    Liked by 1 person

  2. This is the best post i have seen in a while! After trying 20 different solutions that didn’t work, your post helped me solve the problem in 5 minutes! You, my sir, are a genius! Than you a million times!

    Like

  3. Very nice article, Thanks for sharing
    In my case, even after setting up the Exchagne Certificate on the Backend IIS, the Default WebSite \443 lost its certificate, so I needed to point it to the original certificate and things are working fine now

    Like

  4. Thanks for the procedure. One word of warning; when I did this, it removed the IIS service from my public SSL cert and of course, because of that, was giving certificate errors when trying to log into OWA or ECP.

    Quick fix by reassigning IIS to the public cert, but wanted to mention it.

    Like

    1. This happened to me as well. I did not notice it though until I tried to migrate a mailbox to Exchange online. We are in a Hybrid Exchange deployment. Exchange on premises could not verify the MSR proxy service due to a certificate issue. Reassign IIS to my Go Daddy cert and am doing a migration now!

      Like

  5. I have to give you credit, this was perfect. If only Micro$oft could spend some of their billions on similar documentation so IT people don’t have to scour the Internet for gems such as this, the world would be a lot better place.

    Like

  6. I wish there was a way to update the backend certificate through powershell. This can only be completed remotely if the Exchange server is running on server core.

    Like

Leave a Reply to adavid6 Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: