Announcement

Collapse
No announcement yet.

Renewing a Certificate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Renewing a Certificate

    Would someone be able to provide some guidance, upfront info on renewing certificates as I've never renewed a certificate on an Exchange Server (although a while back I worked with someone renewing a GoDaddy one for Exchange and the process was very painful).

    I can see our EXCH2010 server has these two active (and a GoDaddy but that's 2016) which are due to expire shortly.

    Click image for larger version

Name:	Exchange Certificates2.png
Views:	1
Size:	7.6 KB
ID:	490213

    Is it just a case of selecting renew for both of them even though one is self-signed or is there a little more to it. I'd like to understand in more detail what they are and how they differ before I start the process. Read plenty of stuff on the net but I always end up back here for some clear detail

  • #2
    FWIW, I have found it easier not to attempt to renew public certificates, just create a new request and, once installed, remove the old certificate
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      The second one in your screen shot is the default self-signed certificate in Exchange and you can ignore that one. The first one is a commercial certificate which is bound to SMTP. You can right click it, select "Renew Certificate" and follow the wizard. I'm assuming that your GoDaddy certificate is bound to IMAP, POP and IIS. Certificates are bound to specific services so it looks like you've got one certificate bound to the SMTP service and another certificate (GoDaddy certificate not shown) bound to IMAP, POP and IIS. If it were me, I'd bind SMTP to the GoDaddy certificate and get rid of the one in your screenshot.

      Comment


      • #4
        TO me, it looks like you have two self signed certificates, one created by Exchange and one created by something else.
        Don't renew either of them.
        Simply open a EMS prompt then run

        new-exchangecertificate

        no further prompts or anything. It will then ask you if you want to replace the default SMTP certificate. Say yes.
        Those two can then be removed, leaving the new Exchange certificate and the GoDaddy certificate.

        I am with Ossian here - I never renew a certificate, always create a new one.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Thanks for the info guys.

          The top one (Exchange 2010 Certificate Internal, Self Signed = false) was issued by our DC.
          The bottom one (Microsoft Exchange, Self Signed = True) was issued by our Exchange server.

          Anyone explain why would there be two, both SMTP, but created and issued differently.

          I don't want to be creating a new one and screwing anything up

          Thanks

          Mark

          Comment


          • #6
            The first one is not something that happens automatically. You must have an internal CA on that machine for the certificate to be issued - which is what I stated in my response above. Therefore someone has requested that certificate.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Thanks Simon, so all I have to do is as per your previous response?

              Is it something that I can invoke before the expiration date?

              Comment

              Working...
              X