Exchange Public Certificate expiration

Hello Team,

We having Exchange 2013 with CU 13 and in hybrid environment with O365

2 MBX/CAS Server, 2 Hybrid Server, 2 Edge Server

Public certificate from symantec is going to be expire very soon, i need to know the process of updating the Certificate
i have generated the .csr request from one of the Hybrid server and from public PKI we got the .cer Certificate

Could any export suggest, from which server i start updating the Certificate and what all steps are required on Hybrid,Edge,MBX

on gateway side, it is normal ,we will update the new certificate

Just keep in mind, we have hybrid environment, Please suggest as per this

your help is really appreciated, as always i got from EE
Addy NadiaExpertAsked:
Who is Participating?
Certificate Private key lies on server where you generate request, this is default behavior of cert request, so you must install cert on that server by following pending request
Later on you can user admin center to install cert on other servers
No need to do anything from IIS
For edge, most probably its not reachable from admin center, you might need to export the cert with private key from MMC on CAS etc in PFX format and then need to import on edge server
If internet is not working on any exchange server, turn off cert revocation from IE advanced setting on that server and then apply cert, otherwise as long as internet is working revocation should not be an issue
Ideally you may not be need to run HCW as long as your new cert subject name is same as old, however re running HCW will not break anything as it will be running in update mode and not replace / break anything as far as I experienced

The certificate is used in the connection end-point, therefore - CAS server and HYBRID servers. If you use EDGE to send email using TLS, it would also be required. Once certificate is replaced on Hybrid, re-run the HCW.
There's no difference where csr is generated, as long as you correctly import the certificate and VALIDATE that in CERTIFICATES MMC, at the properties of the certificate you'll see a message - You have a private key corresponding to the certificate.
This would mean the certificate was properly imported.
Addy NadiaExpertAuthor Commented:
as i mentioned in question, can i have procedure to update
and yes edge server also having that certificate, which is going to expire

one more thing, this certificate is of Hybrid certificate, which used to have a hybrid connectivity.

also on MBX server i can see no services assigned to that certificate which is going to expire, same with Hybrid server also, the same certificate not having any services assigned on one Hybrid, on another hybrid Pop and smtp

on edge server only smtp service is assigned

HCW is required to run ? is it mandatory and what it will do

Please suggest me the steps to update.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Addy NadiaExpertAuthor Commented:
could anyone suggest here..
Addy NadiaExpertAuthor Commented:
could anyone suggest here

we here need to update the hybrid certificate. Please suggest the steps how to do it..
1st thing u need to install / complete pending request  from emc on same server from where u generated csr
Because on that server certificate private key exists
After that replace it on all cas and edge server
All cas can be assigned cert from one exchange console
Later on u need to run HCW as guided above so that hybrid config will be updated with new cert thumb print
Addy NadiaExpertAuthor Commented:
Hello Mahesh,

thansk for answer,

1.Actually i have generated the Certificate request on MBX/CAS server ? so according to you i need to complete the certificate request on that first, then other 2 hybrid Server ? - and then to Edge

2. so on all other server i need to import the certificate via IIS or from admin center ? because pending request is not coming up here. it is only coming on server where it was generated

3. is internet should be working there on Exchange while updating the certificate ? and Revocation check option unchecked in internet explorer?

4. Hybrid Configuration wizard is mandatory ? as we not done this in LAB exchange Server ? i want to avoid this, as it might can cause other issue ?
Addy NadiaExpertAuthor Commented:
could hybrid wizard modify any connectors ?

which connectors i can take backup as a safe side, i dont want HCW can affect anything
if you don't change any hybrid config explicitly while rerunning, it won't change any connectors, it simply update the config
Addy NadiaExpertAuthor Commented:
so after updating the certificate on both edge, both hybrid and Mailbox server. Edge subscription need to resubscribed ? is it mandatory ? just a doubt and how to do it

i have 2 Edge and 2 hybrid.
Addy NadiaExpertAuthor Commented:
could you guide how to resubscribed edge subscription if required, without impacting any receive/send connector ?
Addy NadiaExpertAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.