Exchange Public Certificate expiration

Hello Team,

We having Exchange 2013 with CU 13 and in hybrid environment with O365

2 MBX/CAS Server, 2 Hybrid Server, 2 Edge Server

Public certificate from symantec is going to be expire very soon, i need to know the process of updating the Certificate
i have generated the .csr request from one of the Hybrid server and from public PKI we got the .cer Certificate

Could any export suggest, from which server i start updating the Certificate and what all steps are required on Hybrid,Edge,MBX

on gateway side, it is normal ,we will update the new certificate

Just keep in mind, we have hybrid environment, Please suggest as per this

your help is really appreciated, as always i got from EE
Addy NadiaExpertAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The certificate is used in the connection end-point, therefore - CAS server and HYBRID servers. If you use EDGE to send email using TLS, it would also be required. Once certificate is replaced on Hybrid, re-run the HCW.
There's no difference where csr is generated, as long as you correctly import the certificate and VALIDATE that in CERTIFICATES MMC, at the properties of the certificate you'll see a message - You have a private key corresponding to the certificate.
This would mean the certificate was properly imported.
Addy NadiaExpertAuthor Commented:
as i mentioned in question, can i have procedure to update
and yes edge server also having that certificate, which is going to expire

one more thing, this certificate is of Hybrid certificate, which used to have a hybrid connectivity.

also on MBX server i can see no services assigned to that certificate which is going to expire, same with Hybrid server also, the same certificate not having any services assigned on one Hybrid, on another hybrid Pop and smtp

on edge server only smtp service is assigned

HCW is required to run ? is it mandatory and what it will do

Please suggest me the steps to update.
Addy NadiaExpertAuthor Commented:
could anyone suggest here..
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Addy NadiaExpertAuthor Commented:
could anyone suggest here

we here need to update the hybrid certificate. Please suggest the steps how to do it..
1st thing u need to install / complete pending request  from emc on same server from where u generated csr
Because on that server certificate private key exists
After that replace it on all cas and edge server
All cas can be assigned cert from one exchange console
Later on u need to run HCW as guided above so that hybrid config will be updated with new cert thumb print
Addy NadiaExpertAuthor Commented:
Hello Mahesh,

thansk for answer,

1.Actually i have generated the Certificate request on MBX/CAS server ? so according to you i need to complete the certificate request on that first, then other 2 hybrid Server ? - and then to Edge

2. so on all other server i need to import the certificate via IIS or from admin center ? because pending request is not coming up here. it is only coming on server where it was generated

3. is internet should be working there on Exchange while updating the certificate ? and Revocation check option unchecked in internet explorer?

4. Hybrid Configuration wizard is mandatory ? as we not done this in LAB exchange Server ? i want to avoid this, as it might can cause other issue ?
Certificate Private key lies on server where you generate request, this is default behavior of cert request, so you must install cert on that server by following pending request
Later on you can user admin center to install cert on other servers
No need to do anything from IIS
For edge, most probably its not reachable from admin center, you might need to export the cert with private key from MMC on CAS etc in PFX format and then need to import on edge server
If internet is not working on any exchange server, turn off cert revocation from IE advanced setting on that server and then apply cert, otherwise as long as internet is working revocation should not be an issue
Ideally you may not be need to run HCW as long as your new cert subject name is same as old, however re running HCW will not break anything as it will be running in update mode and not replace / break anything as far as I experienced


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Addy NadiaExpertAuthor Commented:
could hybrid wizard modify any connectors ?

which connectors i can take backup as a safe side, i dont want HCW can affect anything
if you don't change any hybrid config explicitly while rerunning, it won't change any connectors, it simply update the config
Addy NadiaExpertAuthor Commented:
so after updating the certificate on both edge, both hybrid and Mailbox server. Edge subscription need to resubscribed ? is it mandatory ? just a doubt and how to do it

i have 2 Edge and 2 hybrid.
Addy NadiaExpertAuthor Commented:
could you guide how to resubscribed edge subscription if required, without impacting any receive/send connector ?
Addy NadiaExpertAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.