Correct methods and steps for renewing certificates for Exchange 2007


I have two Exchange 2007 servers that are coming up on their 1yr anniversary.  Both are now logging events that their certificates will expire soon.  I have read a great deal of the documentation but I am still unclear on the correct steps for renewing the certs.  Here are the details:

1)  Edge server that has a self signed cert for smtp-tls communication.  Some say renewing is as easy as
"get-exchangecertificate -thumbprint [oldcertsthumbprint] | new-exchangecertificate -services smtp"
followed by
"enable-exchangecertificate -thumbprint [newcertsthumbprint]
With no other steps needed.
Others say I need to re-subscribe the Edge to the organization and restart the edgesynch service after I have done the steps above.
What is correct?

2) Hub/CAS server that has a Trusted ThirdParty CA cert that was installed in IIS before Exchange was installed and a self-signed cert that was created by install.  Both are up for renewal.  After I installed Exchange I had to enable SMTP on the CA cert and everything worked fine.  Most documentation says I need to generate a new CA cert request using new-exchangecertificate with the -generaterequest switch.  But I don't want a new CA one.  I want to renew the CA one I have.  I saw in the msexchangeteam blog that I can renew using the IIS manager but other places say don't use the mmc for Exchange certs or they won't work.  Is that just a warning because you would have to enable the services for the cert?  Can I renew in IIS and then enable the smtp, imap, pop services on the cert using the cmdlets?  Also, if I do not renew the self-signed one, will internal hub to edge communication still work?


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Server Edge
"      Get-ExchangeCertificate Thumbprint  | New-ExchangeCertificate
"      New-EdgeSubscription -FileName "C:\ edge02.xml
Server HUB
"      Copy the  xml in the HUB, open the  Exchange Management Console, and go to :
"      Organization -> Hub Transport -> Edge Subscription, select  action pane: New Edge Subscription and import xml file.

After  import  XML file, edge  Microsoft Exchange ADAM must be restarted  
Next you can start cmdlet Start-EdgeSynchronization on  Hub server

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CMES-ITAuthor Commented:
Thanks for the comment!

What about the CA cert on the cas/hub server?  The one that supports SMTP, IIS, POP3 and IMAP.  Do I just generate a new request or can I renew the one I have through IIS?

No cert expiration on Hub should not affect mailflow within the org (e.g. hub to hub).  Now it could affect things for Domain Secure and third-party mail flow, however.  However as a best practice, you should update the certificate when it nears expiration.

1. you should not used self signed for Owa etc... however user most likely would just get an error if they expire but as stated above you should keep them updated.

CMES-ITAuthor Commented:

The renewal on the edge server required a resubscribe and a restart of ADAM just as ATIG suggested.  Resubscribes overwrite the existing one so it was pretty painless.

I did not risk trying to use IIS to renew the third-party cert on the Hub server.  After I was comfortable with the PowerShell syntax
(with help from this online generator
I added a couple of switches like -FriendlyName and it was pretty painless too.

I did have a short period of ~15 minutes that mail stopped flowing from the edge to the hub and back after I enabled the new third-party cert on the hub.  The edge complained of not being able to verify the cert in the event logs.  I decided to resubscribe the edge again.  However, it started working again after I exported the xml on the edge but before I imported it on the hub.  It may have worked itself out during the normal refresh period and not needed a resubscribe if I had been more patient.  I followed through on the resubscribe anyway and all is flowing again.  

Some URLS that helped me out:
EHLO blogs:
EHLO blogs:
PS Exchange cert request generator:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.