Should i renew self-signed exchange certificates on all the servers or should i renew only on one server & import and export same certificate to all of the other servers

Hi ,

I have got few certificates .
1. "Microsoft Exchange Server Auth certificate" ,
2.Microsoft Exchange.
3.Exchange Delegation Federation.
 certificates which are  going to expire soon on CAS SERVER 1,CAS SERVER 2,MAILBOX SERVER 1 & MAILBOX SERVER 2 of my exchange server 2013 Enterprise in DAG .Each certificates on all of my 5 servers have same Thumbprint,same Serial numbers & same public key size .

So what i did was i went to exchange ecp  Servers>Certificates and selected "Microsoft Exchange Server Auth certificate" of mailbox server 1 and clicked "renew" button from right side pane after few second a new certificate with the name "Microsoft exchange server Auth Certificate" was created with 5 years extended validity . My question is should i do the same process  on all of my other servers (Mailbox server 2 ,cas server 1,cas server 2) or should i export the certificate from mailbox server 2 and import it to all of other exchange servers .

 Please enlighten me which procedure i need to follow and will the same be applicable for other 2 certificates as well (that is certificate with the names "Microsoft Exchange" &
"Exchange Delegation Federation".)

Please find attached screenshot for your reference.

Mailbox server 1 :-
mbx1.jpg
Mailbox Server 2 :-
mbx2.jpg
Thank you a lot in advance.
Sharaf
LVL 1
Sharaf KEXchange 2013 admin & Network AdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yo_beeDirector of Information TechnologyCommented:
If they are the same cert you should be able to export the recently renewed cert and import and replace on the other server.  If they are specific for each server you will need to renew each one individually.
0
MaheshArchitectCommented:
No need to renew self signed certificates, those certificates will automatically renewed
You need to update public certificate which u obtained from public ca
This certificate must be 1st installed on same exchange server (cas) as your renew request generated and later on you can install it on other cas servers from same console or individually, finally assign services to this certificate
U will find lot of post how to renew public asel cert on exchange cas servers
0
Sharaf KEXchange 2013 admin & Network AdminAuthor Commented:
@Mahesh :- I have posted same questions to many forums and everyone else so far says self-signed certificate would not get renewed automatically and it must be renewed manually . I'm just confused.  

Thank you.My public cert from digicert are not yet due for renewal and i have installed it only on Cas servers

@yo_bee :-  are you sure ?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

yo_beeDirector of Information TechnologyCommented:
I have renewed my public wildcard cert multiple times and have exported them for other servers without any issues, but Mes does have more details about this.
0
MaheshArchitectCommented:
Ok
I never get in a situation to renew self signed certs
Normally these certs are required for smtp communication between hub transport servers or mailbox servers
You are right, if at all these certs are expiring , u can renew them with same key pair, the process is well documented in blogs
Apologizes for mis conception
0
Sharaf KEXchange 2013 admin & Network AdminAuthor Commented:
I have got the answer, Self-signed certificates should not be exported/imported to other servers. If there are multiple servers then each self-signed certificates on each server should be renewed  from each server .
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sharaf KEXchange 2013 admin & Network AdminAuthor Commented:
I have got the right answer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.