Renew Exchange verisign cerificate for Exchange 2010 Edge server.

Hi Team, We are having 2 internal CAS/HUB & 2 Edge server in DMZ. We have migrated last year into 2010 enviornment hence the internal self signed certificates are valid till another four year.

Currently got an alert for external SSL certificaion (verisign) expiration date.

Kindly let me know just I can import new certificate & map .PFX in MMC--> personal --> certificate console & delete old certificate is enough for email send / recieve to / from inernet or anything else that I need like New edge subscription on both edge roles?

New edge config will restructure all config which I made in connectors.

We dont use third party SSL certifications for CAS related as we only using in internal purpose(only self-signed).

We got new cerficate from verisign based on SAN of our domain & Edge server name so in this case if replace with existing certificate will i give any other impact?

Thanks in advance.
LVL 26
Sekar ChinnakannuStaff EngineerAsked:
Who is Participating?
Kent DyerConnect With a Mentor IT Security Analyst SeniorCommented:
No downtime.  You are copying the cert in and placing the cert in place of the old cert.  You just tell the system to use the new cert,  Should be no reason to stop/start services, etc.

Each cert has a thumbprint and you will tell the system to use the new one.
Kent DyerIT Security Analyst SeniorCommented:
You should be able to leave the current certs in place.
You will be placing the new certs on top of the old.  Especially, if you find that the new certs have issue - like they mistyped the domain wrong or have an invalid date, etc.

You can use the mmc snap-in to manage the cert, but on the server, you will need to select machine instead of personal.
You may also need to update the certs on each of the devices as well as any load balancers and cluster devices - YMMV as some devices require the cert and others may not need it.
Sekar ChinnakannuStaff EngineerAuthor Commented:
Hi kdyer,

Thanks a lot for the quick response.

Apart from MMC--> machine is anywhere else do I need to perform anything in Exchange console side or services in EDGE role or internal HUB role.

To place on top on the old cert will it give any down-time for any replication process with new certificate date.

I have to only enable SMTP service for the new cert thumbprint.

This is only external SAN name based certificate for SSL TLS client authentication and hope not required any Edge-Subscription?

Hope edge-subscription will be in place at the time of self-signed cert expiration in EDGE or HUB roles is it?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.