Complete Certificate Renewal SOP
This is a tested production workflow for renewing Exchange 2016/2019 certificates.
Overview Steps
- Create a new certificate signing request (CSR)
- Upload the CSR to your certificate provider
- Download the processed certificate from your certificate provider
- Install the certificate on Exchange
- Assign Exchange services to the new certificate on each server
- Delete the old certificate
- Export the new certificate to a PFX file
- Import the certificate to all other Exchange servers
Step-by-Step Commands
1. List Current Certificates
Get-ExchangeCertificate | Where {$_.IsSelfSigned -eq $false} |
Format-List FriendlyName, CertificateDomains, Thumbprint, NotAfter
Purpose: Identify the certificate to renew and note its thumbprint.
2. Generate Certificate Signing Request (CSR)
$certrequest = Get-ExchangeCertificate -Thumbprint B26C3C9B30A2A7371767275043816466CB921738 |
New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable:$true
Important: Replace the thumbprint with your actual certificate thumbprint from step 1.
Note: -PrivateKeyExportable:$true is critical for exporting to other servers later.
3. Save CSR to File
[System.IO.File]::WriteAllBytes('\\EX19-01\C$\Users\<user>\Desktop\certrequest.txt',
[System.Text.Encoding]::Unicode.GetBytes($certrequest))
Modify:
- Replace
EX19-01with your server name - Replace
<user>with your username - Update the path as needed
Next: Submit this certrequest.txt file to your Certificate Authority (CA).
4. Verify Current Certificate Status
Get-ExchangeCertificate | Format-Table Subject, Status
Purpose: Check that the pending request shows up correctly.
5. Import the New Certificate
After receiving the certificate file from your CA:
Import-ExchangeCertificate -FriendlyName mail.exchangeservergeek.com `
-FileData ([System.IO.File]::ReadAllBytes('\\EX19-01\C$\Users\<user>\Desktop\mail_exchangeservergeek_com.cer')) `
-PrivateKeyExportable $true
Modify:
- Update FriendlyName to match your domain
- Update file path to your certificate file location
- Keep
-PrivateKeyExportable $truefor multi-server environments
Important: The certificate file might be .cer, .crt, or .pem depending on your CA.
6. Verify New Certificate Import
Get-ExchangeCertificate | Format-Table Subject, Thumbprint, NotAfter
Action: Note the new certificate's thumbprint for the next steps.
7. Enable Services on New Certificate
Enable-ExchangeCertificate -Server EX19-01 `
-Thumbprint BD09E758DF572307128D878697D3A766BDBEBF35 `
-Services IIS,SMTP
Modify:
- Replace
EX19-01with your server name - Replace thumbprint with the new certificate thumbprint from step 6
- Services:
IISfor web services (OWA, ECP, etc.),SMTPfor mail flow
Warning: This will prompt for confirmation as it affects active services.
8. Verify Service Assignment
Get-ExchangeCertificate | Where {$_.IsSelfSigned -eq $false} |
Format-List FriendlyName, Thumbprint, NotAfter, Services
Check: Confirm the new certificate shows SMTP, IIS in the Services field.
9. Export Certificate to PFX
$cert = Export-ExchangeCertificate -Thumbprint BD09E758DF572307128D878697D3A766BDBEBF35 `
-BinaryEncoded -Password (Get-Credential).password
Action: You will be prompted to enter a password for the PFX file. Remember this password!
Replace: Update thumbprint with your new certificate thumbprint.
10. Save PFX File
[System.IO.File]::WriteAllBytes('\\EX19-01\C$\Users\<user>\Desktop\mail_exchangeservergeek_com.pfx',
$cert.FileData)
Modify: Update the file path and filename as needed.
Result: You now have a PFX file that can be imported to other Exchange servers.
11. Import to Additional Exchange Servers
Import-ExchangeCertificate -Server EX19-02 `
-FileData ([System.IO.File]::ReadAllBytes('\\EX19-01\C$\Users\<user>\Desktop\mail_exchangeservergeek_com.pfx')) `
-Password (Get-Credential).password `
-PrivateKeyExportable $true
Modify:
- Replace
EX19-02with your second server name - Update file path to the PFX file from step 10
- Enter the same password you used in step 9
Repeat: Run this command for each additional Exchange server in your environment.
Then enable services on each server:
Enable-ExchangeCertificate -Server EX19-02 `
-Thumbprint BD09E758DF572307128D878697D3A766BDBEBF35 `
-Services IIS,SMTP
12. Remove Old Certificate
ONLY after verifying the new certificate works:
Remove-ExchangeCertificate -Server EX19-01 `
-Thumbprint B26C3C9B30A2A7371767275043816466CB921738
Modify:
- Replace with your old certificate thumbprint (from step 1)
- Repeat for each server
Warning: Do NOT remove the old certificate until you've verified mail flow and client access with the new certificate.
Hybrid Configuration Updates
Check Hybrid Configuration
Get-HybridConfiguration | Format-List
Purpose: Verify current hybrid send connector configuration.
Update Send Connector Certificate (Hybrid/M365)
1. Check Current Send Connector
Get-SendConnector | Select Name, TlsCertificateName
2. Prepare New Certificate Name
Get-ExchangeCertificate | Format-Table Subject, Thumbprint, NotAfter
$tlscert = Get-ExchangeCertificate -Thumbprint BD09E758DF572307128D878697D3A766BDBEBF35
$tlscertname = ('<I>' + $tlscert.Issuer + '<S>' + $tlscert.Subject)
Replace: Use your new certificate thumbprint.
3. Update Send Connector
Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $tlscertname
Modify: Replace "Outbound to Office 365" with your actual send connector name.
Verify:
Get-SendConnector | Select Name, TlsCertificateName
Reset Certificate (If Needed)��
If you need to clear the certificate assignment:
Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $null
Post-Renewal Checklist
- New certificate imported on all Exchange servers
- Services (IIS, SMTP) enabled on all servers
- Hybrid send connector updated (if applicable)
- OWA/ECP accessible via HTTPS
- Outlook clients connecting successfully
- Test emails sent and received
- Old certificate removed from all servers
- Certificate expiry monitoring updated
- Documentation updated with new thumbprint
Testing
# Test Outlook connectivity
Test-OutlookWebServices -ClientAccessServer mail.contoso.com -MailboxCredential (Get-Credential)
# Test SMTP TLS
Test-SmtpConnectivity -ClientAccessServer mail.contoso.com
# Check message queue
Get-Queue | Where {$_.MessageCount -gt 0}
# Verify certificate in use
Get-ExchangeCertificate | Where {$_.Services -match "SMTP"} |
Format-Table Subject, Thumbprint, NotAfter, Services
Common Issues
Issue: "The certificate isn't valid for the requested usage"
- Cause: Certificate doesn't have required Enhanced Key Usage (EKU)
- Solution: Ensure certificate includes "Server Authentication" EKU
Issue: Hybrid send connector still using old certificate
- Cause: TlsCertificateName format incorrect
- Solution: Verify the exact format
<I>Issuer<S>Subjectwith no extra spaces
Issue: Client access broken after certificate change
- Cause: IIS binding not updated or AppPool not restarted
- Solution:
Restart-Service W3SVC
iisreset /noforce