Graph and PowerShell Blog

Renewing a 3rd party Exchange certificate really shouldn't be a big deal but thanks to SSL companies and Microsoft there are a number of problems that can occur.

The cert comes as a text file, along with a root cert and two intermediary certs, all of which must be installed. The guides showing how to use ECP are not valid as you can now only do this via Exchange PowerShell.

The private key is missing when you import the certificate (rename .txt file to .cer). This is where the cert key is 'lost' and you must get the serial to find the key again using certutil.

Now that the cert is installed you have to copy the installed cert to each Exchange server.

After this you must rerun the Exchange Hybrid Wizard, which now requires the credentials of a Cloud Admin.

With the HCW run, you now go to delete the old cert that is about to expire, but an error message comes up to say it is still in use. This is because the HCW goes on the cert names and not the thumbprint. To get around this delete the old cert via the Certificates.mmc snap-in.

When you reboot the Exchange server later, the Exchange Management Shell will fail to connect. This is because the back-end website no longer has a certificate selected under 'Bindings'.

Update 2024: This year I spent a bit more time renewing the cert. You must install the Intermediary cert no matter what, on all Exchange servers. The SuperTekBoy article gives a good explanation of the full renewal process.

Graph and PowerShell Blog	Articles 2024 Advanced Postfix configuration Installing Exchange 2019 in Azure Landing Zone Upgrading PHP on Windows Adding a Postfix server for relay to O365 O365 Integrated Apps troubleshooting Domino and O365 Co-existence Delegate Control in AD App mail relay via HVE Setting up Mail Relay with HVE Getting BIMI certified Orbea Occam SL H30 Installing FreeSat and Saorview Changing broadband provider Replacing a DIN timer on fuseboard Outlook Desktop Notifications stop working Outlook folders keep moving sort order Teams report uploading to SharePoint with Runbooks Teams PowerShell module can't run CS cmd as App 2023 Cannot map new Shared Mailboxes in O365 Renewing an Exchange 2016 certificate Connect to Compliance PowerShell behind a Proxy Sensitivity Label not shown in Outlook Client Room Finder Error in Outlook Teams not showing Rooms Teams unable to open file Unable to review quarantined mails for shared mailbox Set Locale for various Apps Delegate Sent Items placed into external Tenant Overview of Microsoft Support cases When centralized mail sends via O365 Cleaning up your Windows DNS server Set OneDrive for Business Locale O365 Migration Tips Reporting on successful Azure logons IIS Mapi Queue full with NetScaler Secure Office365 reports with a certificate Using Graph to send emails with inline images Visualizing Graph data with Google Charts Keeping a log of NetScaler AlwaysON connections \| About \| Links

Renewing an Exchange 2016 certificate 23-Jun-23 Renewing a 3rd party Exchange certificate really shouldn't be a big deal but thanks to SSL companies and Microsoft there are a number of problems that can occur. The cert comes as a text file, along with a root cert and two intermediary certs, all of which must be installed. The guides showing how to use ECP are not valid as you can now only do this via Exchange PowerShell. The private key is missing when you import the certificate (rename .txt file to .cer). This is where the cert key is 'lost' and you must get the serial to find the key again using certutil. Now that the cert is installed you have to copy the installed cert to each Exchange server. After this you must rerun the Exchange Hybrid Wizard, which now requires the credentials of a Cloud Admin. With the HCW run, you now go to delete the old cert that is about to expire, but an error message comes up to say it is still in use. This is because the HCW goes on the cert names and not the thumbprint. To get around this delete the old cert via the Certificates.mmc snap-in. When you reboot the Exchange server later, the Exchange Management Shell will fail to connect. This is because the back-end website no longer has a certificate selected under 'Bindings'. Update 2024: This year I spent a bit more time renewing the cert. You must install the Intermediary cert no matter what, on all Exchange servers. The SuperTekBoy article gives a good explanation of the full renewal process.