Skip to content

Certificate renewal with PowerShell in Exchange 2013

One customer requested us to renew their certificate because they received a pop-up message when opening Outlook client.

Their Certificates Renewal List:

  1. mail certificate is going to expire in 7 days
  2. Microsoft Exchange Auth Certificate has expired for a couple of days.
  3. Root CA certificate is going to expire in 7 days.

It’s a simple task, just navigate to the certificate page, request a new request file, download certificate file and complete renewal. but when I open the certificate page, I got the error message. I tried various ways to fix it but failed. I have no idea how to fix until now.

image 1

So I have to renew the certificate with PowerShell commands.

Viewing the All Certificate

Get-ExchangeCertificate  | fl friendlyname, certificatedomains, thumbprint, notafter

From the screenshot, “mail2” is going to expire and “Microsoft Exchange Server Auth Certificate” has expired. we need to renew both.

Microsoft Exchange Server Auth Certificate is a self-signed and global certificate. it is generated automaticlly when you first install Exchange 2013 or later version. It is used to intergrate aplications such as SharePoint, Exchange Online. By default, it has 5 years lifetime, it is long enough for everyone to forget it.

image 21

Setting up a New Microsoft Exchange Auth Certificate

Generate a self-signed certificate

Open a new Exchange Management Shell and use this command to create a self-signed certificate. Replace with your environment domain name.

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName “cn= Microsoft Exchange Server Auth Certificate” -DomainName “” -FriendlyName “Microsoft Exchange Server Auth Certificate” -Services SMTP
image 5
Assign the newly created self-signed certificate as the global Auth certificate
$dt = Get-Date
Set-AuthConfig -NewCertificateThumbprint <paste the thumbprint> –NewCertificateEffectiveDate $dt
image 6
Publish the new Auth certificate and clear previous certificates:
Set-AuthConfig –PublishCertificate
Set-AuthConfig –ClearPreviousCertficate
Get certification and check again
image 7

Renew CA root certificate

CA certificate must be renewed first because another certificate like mail2 is issued by CA. if you renew mail2 certificate first, the lifetime of mail2 will be the same with the lifetime of CA. For example, in this case, the CA certificate and mail2 will expire on the same day – 12/09/2019, when mail2 was renewed and imported, the valid date was still the same. that’s what I made the mistake.

Open Certification Authority, Server->All Tasks->Renew CA certificate

image 8

because we just need to renew the lifetime of the certificate, I choose “No”.

snipaste 20190905 114811

After CA certificate renewal, you can find all CA renewal history.

image 9
image 11

Renew mail2 Certificate

The certificate request data will be returned both in PowerShell and saved to the file at the shared folder or UNC path.

Get-ExchangeCertificate -Thumbprint 559642FCD3DD4769D79A457D11875AF9E6E49F3C | New-ExchangeCertificate -GenerateRequest -RequestFile "\\cqserver\Renewcertificate2016\certreq.txt" -PrivateKeyExportable:$true
image 12

In some case, your third certificate provider will ask you to paste the request to their system for processing. In our case, we do not use third certificate, so we request from our CA server. you can find how to request certificate from here.

Import Certificate
Import-ExchangeCertificate -FileName "\\cqserver\Renewcertificate2016\.cer" -PrivateKeyExportable:$true
image 18
Enable services for new certificate
Enable-ExchangeCertificate -Thumbprint 5B3E95B2380F764F3C4CAC0B67D2C5DB30C1954F -Services "iis,
 smtp, pop, imap"
Restart IIS and verification
image 19
image 20

Leave a Reply