Exchange 2013 self-signed certificates
I have three Exchange 2013 servers in two different AD Sites, each having all roles. All are working well for last 9 months and I'm wondering if I can delete the three default self-signed certificates on each server. We have been using a public cert (VeriSign) for the last 9 months which covers POP, IIS, and SMTP, so my thought is I should be able to. Every time I Google this I find MS clearly saying:
"By default, the Client Access server is configured with a self-signed certificate that is not trusted by clients. You should remove this certificate and install a certificate from a trusted Certificate Authority (CA)."
The problem is that it does not use the plural context in the above statement...only singular. So, can I delete all three safely since I have been using a public certificate with no problem?
~Rick
"By default, the Client Access server is configured with a self-signed certificate that is not trusted by clients. You should remove this certificate and install a certificate from a trusted Certificate Authority (CA)."
The problem is that it does not use the plural context in the above statement...only singular. So, can I delete all three safely since I have been using a public certificate with no problem?
~Rick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The self signed certificate is not only used for web services, but also for internal transport purposes. I expect if you try to remove the certificate it will be blocked for that reason.
Therefore as long as you have the "W" service enabled for the trusted certificate, leave the self signed one alone.
Simon.
Therefore as long as you have the "W" service enabled for the trusted certificate, leave the self signed one alone.
Simon.
ASKER
I got a definite confirmation from Microsoft Exchange 2013 Support and they said deleting those certificates is not a problem as long as we are using a public cert that covers the roles we need. If our public cert expires then we would just have to create new certs till we could replace the expired cert.
They worked with me while I deleted the certs and reset the bindings within IIS on both frontend and backend. We confirmed all is working properly.
They worked with me while I deleted the certs and reset the bindings within IIS on both frontend and backend. We confirmed all is working properly.
This is because they might be in use by some process witch I've forgotten about and they can work as a template for how a new certificate could look like, and you also have a "backup" in case something goes bananas.
So my conclusion is: Why delete them? They aren't exactly wasting huge amount of space or cluttering the servers. Maybe you will need them some day.