Exchange Server 2010 on a Win 2012 server. Renew Certificate

I am getting this message: uses an invalid security certificate. The certificate expired on 10/3/2015 10:52 AM. The current time is 10/5/2015 11:18 AM. (Error code: sec_error_expired_certificate)

How do I renew this certificate?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
I have create a HowTo on my site to accomplish this.

You need to Generate a new CSR from one of your CAS servers. You will then need to import it in to every Exchange server. From there you Enable the certificate with the specific services required.

Detailed steps below...


The HowTo illustrates how to accomplish this with Exchagne 2013 but the process is similar to Exchange 2010 minus the cert renewal. You can do this through IIS.

hgj1357Author Commented:
I don't have CAS servers.  I have a DC and an exchange server.   Which one do i start with?
hgj1357Author Commented:
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

IvanSystem EngineerCommented:
If you have Exchange, then you have CAS server :)
Jeff GloverSr. Systems AdministratorCommented:
To explain further. CAS stands for Client Access Server. It is a role that is part of Exchange. If you have a single Exchange server then by default it has the Client Access, Hub Transport and Mailbox Server roles on it.
hgj1357Author Commented:
My new certificate has a status:   This is a pending certificate signing request (CSR)

How do I complete this job?   I'm a dunce with this - so use short words!
Jeff GloverSr. Systems AdministratorCommented:
Did you purchase the new certificate from the CA? If so, you will have a certificate file. Copy i to your exchange server (anywhere on it is fine. My documents works). Then right click on the one that says it is a pending CSR and select Complete Pending request. Follow the wizard.
hgj1357Author Commented:
Can I buy a certificate from Godaddy?
Jeff GloverSr. Systems AdministratorCommented:
Yes, you can but there is one additional step to using a GoDaddy Certificate. You will get a .zip file from GoDaddy. It will contain the certificate (.crt) and a .p7b file. The .p7b file is the intermediate Certificates. You have to import them into the intermediate Certificate Authority store on your exchange server(s) using the Certificates Snap-In. But, it should work fine. We use them.
hgj1357Author Commented:
OK.  Godaddy tell me that the SEVER.local will no longer be supported on the certificate.

Ho do I confirm my server is not configered as .local and is configured as fully qualified .com?
Jeff GloverSr. Systems AdministratorCommented:
No Public CA will support .local anymore. You just need to set the internal and external names for OWA and ECP to the external name (can be done in the EMC) and then setup split brain dns. Add a DNS zone to your internal server for your external domain name. Add the owa record to it with the internal address. You should also add an srv record to your internal domain for autodiscover pointing to the owa record in your split brain zone. This way, autodiscover will not warn for the wrong name.
hgj1357Author Commented:
Being a bit of a dunce, I'll need these steps explained a bit more simplistically.
hgj1357Author Commented:
I'd get the guys in who set this up, but they can't do it until December.   I understand basic DCs, DNS etc, but exchange is a bit of a mystery to me.
Jeff GloverSr. Systems AdministratorCommented:
OK, Once you have the certiificate, it will have whatever name you use to connect to OWA. It also probably should have in it. That is probably the minimum. So, lets assume you use for OWA. Once the certificate is installed, you go to the Exchange management console and go to Client Access Servers. In the properties of Client Access Servers, you will see tabs for OWA, ECP, etc... change the internal and if needed external URL to match your name on your certificate. This way you will not get a cert prompt with OWA and ECP.
Now, you or whoever takes care of your internal DNS servers needs to make a primary zone with the name of your If your DNS is AD integrated, then make it AD integrated. You need to add a record for webmail to it using the internal address of your exchange server with the CAS role or Load balancer VIP. Also, if you have external websites like, you will need to add them with the external DNS address so your internal clients can reach them. Lastly, you need to add an SRV record to Your internal .local zone for Autodiscover:  _autodiscover._tcp.Autodiscover.yourdomain.local 0 0 443  pointing to This way Outlook anywhere will work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.