<

How to renew expiring Exchange Server 2007 Internal Transport Certificate

Published on
4,263 Points
1,063 Views
2 Endorsements
Last Modified:
CodeTwo Software
We make practical tools for Microsoft Exchange, Office 365 and Outlook. Visit our website to learn about our paid and freeware products.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Administrators of the Exchange Server 2007 (especially the ones who regularly check their event logs) might, sooner or later, come across warnings about the expiring Internal Transport Certificate – it will be highlighted with messages like these:

The STARTTLS certificate will expire soon.

or

An internal transport certificate will expire soon.

Those that don’t check their logs will probably be reminded by their users to do so – when nearing a certificate expiry, users’ Outlooks will start displaying messages saying:

[domain name]
Information you exchange with this site cannot be viewed or changed by others.
However, there is problem with the site's security certificate…


Exchange Server 2007 Internal Transport Certificate is an important part of the system (for example allowing the users to access OWA through a safe HTTPS protocol) but it is often overlooked by some administrators, especially the ones who worked with previous versions of Exchange and simply were not aware of the existence of such a feature. Fortunately, renewing a certificate that nears its expiration date is relatively easy and can be achieved following the steps described below.
 

Check the currently installed certificate


Open the Exchange Management Shell and there type
 
get-exchangecertificate | List

Open in new window


438.png
Fig.1. Exchange Certificate details.
You should see detailed information about your current certificate. The following values are the ones you need to pay the most attention to:
 
NotAfter – this is a very important thing, it shows the final expiry date of your certificate.
Services – shows the services the certificate applies to.
Thumbprint – this is a very important value as well, since it is the identification of the certificate and it is necessary to make any changes to it.


Create a new certificate


In the Exchange Management Shell window, run the following command new-exchangecertificate - you will get a warning message asking whether you are sure you want to overwrite your old certificate (Fig. 2.).

439.png
Fig.2. Overwriting the old certificate.
Once you agree to make the changes run the get-exchangecertificate | List command again. This is what you should see:

440.png
Fig.3. New and old certificate details.
 

Activate the new certificate


As you can see from the above screenshot, the IIS service is still using the old certificate. In order to fix this, you will have to enable the new one using the enable-exchangecertificate command. And to do this, you will need the certificate thumbnail value I mentioned before.  So the whole command you should use will be:
 
enable-exchangecertificate -Thumbprint [YOUR NEW CERTIFICATE THUMBRINT VALUE]

Open in new window


You will also need to provide the name of the service that needs to be included in the new certificate (in this case it is IIS).

441.png
Fig.4. Assigning the IIS service to the new certificate.
 

Remove the old certificate


Now you can safely remove the old certificate, which is no longer necessary. Type:
 
remove-exchangecertificate -Thumbprint [YOUR OLD CERTIFICATE THUMBRINT VALUE]

Open in new window


Once you’re done, run the get-exchangecertificate | List command for the last time. This should be your final result:

442.png
Fig.5. New Exchange Certificate active and running.
 

As you can see, the certificate is valid, all services are included and there is still a long time before it expires again. I hope this tutorial will help everyone who needs help with their expiring Exchange Certificate.

Good luck!
 

Suggested reading


Migrate from Exchange 2007 directly to Exchange 2016 or Office 365 using CodeTwo software
2
Comment
0 Comments

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Join & Write a Comment

Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month