Home » Exchange Server » Exchange Server 2016 Migration – Reviewing SSL Certificates

Exchange Server 2016 Migration – Reviewing SSL Certificates

As you plan the migration to Exchange Server 2016, you should first perform a review of your client access namespaces before you move on to planning for SSL certificates.

Exchange 2016 will install with a self-signed SSL certificate, but that certificate is not suitable for client connectivity as it will fail validation. Not only is the self-signed certificate untrusted by your clients, but it will not contain the namespaces that you’re using in your Exchange environment.

Fortunately for most organizations the existing SSL certificate being used for Exchange 2010 or 2013 can be re-used, provided that:

  • It contains the namespaces that you’re planning to use for Exchange 2016
  • It has been issued by a trusted certificate authority such as Digicert
  • It hasn’t expired

You can review the current SSL certificates in the environment by running my Exchange certificate report script and reviewing the HTML report that it produces.


There is an additional consideration that you should look at. The existing certificates in some environments will be SHA-1 certificates, which are being phased out. If you have SHA-1 certificates installed on your Exchange servers, you should consider replacing them. You can either replace them on your existing servers in readiness for migration to Exchange 2016, or install a new certificate on your Exchange 2016 server. It’s best to contact your certificate provider first, as they will often allow SHA-1 certificates to be re-issued for free with SHA-2 certificates.

In the next part of this series we’ll look at additional information to collect from your Exchange environment when planning a migration to Exchange 2016.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server


  1. Tamang says:

    I am in a disconnected environment and use internal CA issued certificate for exchange using SHA-1. Do I have to use SHA-2 too?



  2. Lakshmi Anand K says:


    Thanks for the great series! I am migrating from a SBS 2011 environment to W2016 & Exchange 2016. It has MyCompanyName.local FQDN. There was an internal AD CS CA running on the SBS 2011 machine. As a part of the migration, I have installed a new root CA on a dedicated machine.

    Now, using your script, I can see that only one Kerbos authentication certificate is from the new root CA, with blank subject name. I see a lot of other servers having different subject names. There are certificates that are not shown as used for SMTP, IIS, POP, IMAP or UM. Being a part time admin, I am unable to make sense which is which.

    As with the other post of yours, which are very great, can you please include in this post too, a little more information on what is expected configuration, and how to fix it?

Leave a Reply

Your email address will not be published. Required fields are marked *