At some point in time after you’ve installed an SSL certificate for Exchange Server 2013 you’ll need to renew that certificate. Hopefully you aren’t scrambling to complete this task because your certificate has expired. Most certificate authorities will email you warnings about impending certificate expiry, but the nature of many corporate procurement processes means those reminders often go to some general purchasing team rather than to the technical folks in IT who really need to know about it.
If you’re curious about your current Exchange certificates and their expiry dates you can always run my Exchange certificate report script.
The process for renewing an SSL certificate involves:
- Generating the renewal CSR
- Submitting the CSR to the certificate authority (and paying them of course)
- Installing the certificate that the certificate authority provides to you
An SSL certificate renewal will usually mean you are submitting the CSR to the same CA that you originally acquired the certificate from. If you’re using a different CA this time around you should just generate a new CSR for a brand new certificate instead. Sometimes we just need to switch to a different CA for some reason such as technical issues or customer service.
Note that generating the renewal CSR doesn’t cause any change or interruption to the existing certificate on your server. Also, you do not need to wait until the certificate has expired or is about to expire before you begin the renewal process. Most CAs will add any days still remaining on the certificate to the new certificate as well. For example, if you still have 30 days remaining on your certificate, and you renew it for 1 year, you’ll have 1 year plus 30 days on the new certificate. So renewing your certificate well in advance of it expiring is a good idea since it ensures that you have time to go through any purchasing or payment processes within your organization that may cause a delay.
Open the Exchange Admin Center and navigate to Servers -> Certificates. Select the server that has the expiring certificate and click the Renew link.
Enter the UNC path to a location that the Exchange servers can write to. Typically this will be a network share that has full control permissions granted to the Exchange Trusted Subsystem group, but you can just as easily use one of the system drives on an Exchange server as I’m doing here.
Next, take the CSR info (you can open the .req file in Notepad if you need to copy/paste the contents into a web form) and submit them to your CA (such as Digicert). If you’re unsure of the exact steps check with your CA’s support pages for any instructions. When you’ve downloaded the new certificate place the file somewhere that you’ll be able to access it via UNC path. The same location used to store the certificate request earlier is an easy choice.
In the Exchange Admin Center select the certificate that has the status of “Pending request”, and click the Complete link.
Enter the UNC path to the certificate file and click OK.
The new certificate will appear in the list. If you’ve got multiple certificates with the same name the renewed one can usually be identified as the one with the expiry date further in the future. The new certiifcate may appear enabled for IMAP and POP, which is fine.
Before you enable the new certificate for IIS or SMTP, if you have multiple Client Access servers that are load-balanced with the server you’re currently working with, and therefore all of those load-balanced CAS need the same SSL certificate, you should first export and import the SSL certificate to the other servers.
After you’ve imported the certificate to all of the other servers you can enable the SSL certificate for the necessary services, such as IIS and SMTP.