Chuyển tới nội dung chính

Complete Certificate Renewal SOP

This is a tested production workflow for renewing Exchange 2016/2019 certificates.

Overview Steps

  1. Create a new certificate signing request (CSR)
  2. Upload the CSR to your certificate provider
  3. Download the processed certificate from your certificate provider
  4. Install the certificate on Exchange
  5. Assign Exchange services to the new certificate on each server
  6. Delete the old certificate
  7. Export the new certificate to a PFX file
  8. Import the certificate to all other Exchange servers

Step-by-Step Commands

1. List Current Certificates

Get-ExchangeCertificate | Where {$_.IsSelfSigned -eq $false} |
    Format-List FriendlyName, CertificateDomains, Thumbprint, NotAfter

Purpose: Identify the certificate to renew and note its thumbprint.

2. Generate Certificate Signing Request (CSR)

$certrequest = Get-ExchangeCertificate -Thumbprint B26C3C9B30A2A7371767275043816466CB921738 |
    New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable:$true

Important: Replace the thumbprint with your actual certificate thumbprint from step 1.

Note: -PrivateKeyExportable:$true is critical for exporting to other servers later.

3. Save CSR to File

[System.IO.File]::WriteAllBytes('\\EX19-01\C$\Users\<user>\Desktop\certrequest.txt',
    [System.Text.Encoding]::Unicode.GetBytes($certrequest))

Modify:

  • Replace EX19-01 with your server name
  • Replace <user> with your username
  • Update the path as needed

Next: Submit this certrequest.txt file to your Certificate Authority (CA).

4. Verify Current Certificate Status

Get-ExchangeCertificate | Format-Table Subject, Status

Purpose: Check that the pending request shows up correctly.

5. Import the New Certificate

After receiving the certificate file from your CA:

Import-ExchangeCertificate -FriendlyName mail.exchangeservergeek.com `
    -FileData ([System.IO.File]::ReadAllBytes('\\EX19-01\C$\Users\<user>\Desktop\mail_exchangeservergeek_com.cer')) `
    -PrivateKeyExportable $true

Modify:

  • Update FriendlyName to match your domain
  • Update file path to your certificate file location
  • Keep -PrivateKeyExportable $true for multi-server environments

Important: The certificate file might be .cer, .crt, or .pem depending on your CA.

6. Verify New Certificate Import

Get-ExchangeCertificate | Format-Table Subject, Thumbprint, NotAfter

Action: Note the new certificate's thumbprint for the next steps.

7. Enable Services on New Certificate

Enable-ExchangeCertificate -Server EX19-01 `
    -Thumbprint BD09E758DF572307128D878697D3A766BDBEBF35 `
    -Services IIS,SMTP

Modify:

  • Replace EX19-01 with your server name
  • Replace thumbprint with the new certificate thumbprint from step 6
  • Services: IIS for web services (OWA, ECP, etc.), SMTP for mail flow

Warning: This will prompt for confirmation as it affects active services.

8. Verify Service Assignment

Get-ExchangeCertificate | Where {$_.IsSelfSigned -eq $false} |
    Format-List FriendlyName, Thumbprint, NotAfter, Services

Check: Confirm the new certificate shows SMTP, IIS in the Services field.

9. Export Certificate to PFX

$cert = Export-ExchangeCertificate -Thumbprint BD09E758DF572307128D878697D3A766BDBEBF35 `
    -BinaryEncoded -Password (Get-Credential).password

Action: You will be prompted to enter a password for the PFX file. Remember this password!

Replace: Update thumbprint with your new certificate thumbprint.

10. Save PFX File

[System.IO.File]::WriteAllBytes('\\EX19-01\C$\Users\<user>\Desktop\mail_exchangeservergeek_com.pfx',
    $cert.FileData)

Modify: Update the file path and filename as needed.

Result: You now have a PFX file that can be imported to other Exchange servers.

11. Import to Additional Exchange Servers

Import-ExchangeCertificate -Server EX19-02 `
    -FileData ([System.IO.File]::ReadAllBytes('\\EX19-01\C$\Users\<user>\Desktop\mail_exchangeservergeek_com.pfx')) `
    -Password (Get-Credential).password `
    -PrivateKeyExportable $true

Modify:

  • Replace EX19-02 with your second server name
  • Update file path to the PFX file from step 10
  • Enter the same password you used in step 9

Repeat: Run this command for each additional Exchange server in your environment.

Then enable services on each server:

Enable-ExchangeCertificate -Server EX19-02 `
    -Thumbprint BD09E758DF572307128D878697D3A766BDBEBF35 `
    -Services IIS,SMTP

12. Remove Old Certificate

ONLY after verifying the new certificate works:

Remove-ExchangeCertificate -Server EX19-01 `
    -Thumbprint B26C3C9B30A2A7371767275043816466CB921738

Modify:

  • Replace with your old certificate thumbprint (from step 1)
  • Repeat for each server

Warning: Do NOT remove the old certificate until you've verified mail flow and client access with the new certificate.

Hybrid Configuration Updates

Check Hybrid Configuration

Get-HybridConfiguration | Format-List

Purpose: Verify current hybrid send connector configuration.

Update Send Connector Certificate (Hybrid/M365)

1. Check Current Send Connector
Get-SendConnector | Select Name, TlsCertificateName
2. Prepare New Certificate Name
Get-ExchangeCertificate | Format-Table Subject, Thumbprint, NotAfter

$tlscert = Get-ExchangeCertificate -Thumbprint BD09E758DF572307128D878697D3A766BDBEBF35
$tlscertname = ('<I>' + $tlscert.Issuer + '<S>' + $tlscert.Subject)

Replace: Use your new certificate thumbprint.

3. Update Send Connector
Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $tlscertname

Modify: Replace "Outbound to Office 365" with your actual send connector name.

Verify:

Get-SendConnector | Select Name, TlsCertificateName

Reset Certificate (If Needed)

If you need to clear the certificate assignment:

Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $null

Post-Renewal Checklist

  • New certificate imported on all Exchange servers
  • Services (IIS, SMTP) enabled on all servers
  • Hybrid send connector updated (if applicable)
  • OWA/ECP accessible via HTTPS
  • Outlook clients connecting successfully
  • Test emails sent and received
  • Old certificate removed from all servers
  • Certificate expiry monitoring updated
  • Documentation updated with new thumbprint

Testing

# Test Outlook connectivity
Test-OutlookWebServices -ClientAccessServer mail.contoso.com -MailboxCredential (Get-Credential)

# Test SMTP TLS
Test-SmtpConnectivity -ClientAccessServer mail.contoso.com

# Check message queue
Get-Queue | Where {$_.MessageCount -gt 0}

# Verify certificate in use
Get-ExchangeCertificate | Where {$_.Services -match "SMTP"} |
    Format-Table Subject, Thumbprint, NotAfter, Services

Common Issues

Issue: "The certificate isn't valid for the requested usage"

  • Cause: Certificate doesn't have required Enhanced Key Usage (EKU)
  • Solution: Ensure certificate includes "Server Authentication" EKU

Issue: Hybrid send connector still using old certificate

  • Cause: TlsCertificateName format incorrect
  • Solution: Verify the exact format <I>Issuer<S>Subject with no extra spaces

Issue: Client access broken after certificate change

  • Cause: IIS binding not updated or AppPool not restarted
  • Solution: 
    Restart-Service W3SVC
    iisreset /noforce