Forum Discussion

EMR88's avatar
EMR88
Copper Contributor
Mar 09, 2024

Trouble Renewing self-signed Exchange 2019 certificate

I have an Exchange 2019 CU14 server whose self-signed certificate (for IIS and SMTP) has expired.   I used the Get-ExchangeCertificate cmdlet to find the thumbprint for the expired certificate.   How...
certificate errors
Exchange Server 2016 2019
Exchange Web Services
SaschaSeipp's avatar
SaschaSeipp
Brass Contributor
Apr 05, 2024

It's sad to see that no one replied here yet. I've just stumbled upon the same problem with an Exchange 2016 CU23 server.

In my case, it's a CA provided certificate I have to renew, but the issue is the same. As the method described above has also worked for me a couple of times and still is the documented procedure by Microsoft, one has to assume that this somehow has been broken by a recent security update. (Checking the current documentation for "New-ExchangeCertificate", there is only the parameter "Instance" that allows PipelineInput, and that is listed as "deprecated").

 

In any case, I have found a workaround. In reality, Exchange is not really "renewing" the old certificate, but creating a new certificate (or in my case, certificate signing request) based on the properties of the old one. The most important ones (from my perspective the only relevant) being the SubjectName and the Subject Alternate Names. So you can just read those values from the old cert and use them for the new one, like this:

$oldThumb = "DB3BE1841EED1D9DD5DCF18956BBABE1BF69056B"
$oldCert = Get-ExchangeCertificate -Thumbprint $oldThumb
$request = New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable $true -FriendlyName "MSX-Certificate-2024-04-05" -DomainName $oldCert.DnsNameList.Unicode -SubjectName $oldCert.Subject

EMR88 : I assume you have fixed your issue on your own by now, but if not: for directly creating a new self-signed certificate, you would skip the "-GenerateRequest" parameter and you might not need the "FriendlyName", and you would not get a result you need to write into an $result variable, but apart from that, I think it should work the same way.

 

For me to get this totally working, I still need to get the new cert back from my CA, but I'm quite confident I was able to create a proper CSR.

Generally speaking, you wouldn't even need to base the new cert on the old one, but as the subject name is configured in a couple of places (hybrid setup, I think), you wouldn't want the need to also change that.

charles_365's avatar
charles_365
Copper Contributor
May 28, 2024

SaschaSeipp 

You got it all you need to add to export your certificate  request is : 

[System.IO.File]::WriteAllBytes('C:\yourpath\renew.req', [System.Text.Encoding]::Unicode.GetBytes($request))

 

Resources