Should i renew self-signed exchange certificates on all the servers or should i renew only on one server & import and export same certificate to all of the other servers

Hi ,

I have got few certificates .
1. "Microsoft Exchange Server Auth certificate" ,
2.Microsoft Exchange.
3.Exchange Delegation Federation.
 certificates which are  going to expire soon on CAS SERVER 1,CAS SERVER 2,MAILBOX SERVER 1 & MAILBOX SERVER 2 of my exchange server 2013 Enterprise in DAG .Each certificates on all of my 5 servers have same Thumbprint,same Serial numbers & same public key size .

So what i did was i went to exchange ecp  Servers>Certificates and selected "Microsoft Exchange Server Auth certificate" of mailbox server 1 and clicked "renew" button from right side pane after few second a new certificate with the name "Microsoft exchange server Auth Certificate" was created with 5 years extended validity . My question is should i do the same process  on all of my other servers (Mailbox server 2 ,cas server 1,cas server 2) or should i export the certificate from mailbox server 2 and import it to all of other exchange servers .

 Please enlighten me which procedure i need to follow and will the same be applicable for other 2 certificates as well (that is certificate with the names "Microsoft Exchange" &
"Exchange Delegation Federation".)

Please find attached screenshot for your reference.

Mailbox server 1 :-
mbx1.jpg
Mailbox Server 2 :-
mbx2.jpg
Thank you a lot in advance.
Sharaf
Sharaf KEXchange 2013 admin & Network AdminAsked:
Who is Participating?
 
Sharaf KEXchange 2013 admin & Network AdminAuthor Commented:
I have got the answer, Self-signed certificates should not be exported/imported to other servers. If there are multiple servers then each self-signed certificates on each server should be renewed  from each server .
0
 
yo_beeDirector of Information TechnologyCommented:
If they are the same cert you should be able to export the recently renewed cert and import and replace on the other server.  If they are specific for each server you will need to renew each one individually.
0
 
MaheshArchitectCommented:
No need to renew self signed certificates, those certificates will automatically renewed
You need to update public certificate which u obtained from public ca
This certificate must be 1st installed on same exchange server (cas) as your renew request generated and later on you can install it on other cas servers from same console or individually, finally assign services to this certificate
U will find lot of post how to renew public asel cert on exchange cas servers
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Sharaf KEXchange 2013 admin & Network AdminAuthor Commented:
@Mahesh :- I have posted same questions to many forums and everyone else so far says self-signed certificate would not get renewed automatically and it must be renewed manually . I'm just confused.  

Thank you.My public cert from digicert are not yet due for renewal and i have installed it only on Cas servers

@yo_bee :-  are you sure ?
0
 
yo_beeDirector of Information TechnologyCommented:
I have renewed my public wildcard cert multiple times and have exported them for other servers without any issues, but Mes does have more details about this.
0
 
MaheshArchitectCommented:
Ok
I never get in a situation to renew self signed certs
Normally these certs are required for smtp communication between hub transport servers or mailbox servers
You are right, if at all these certs are expiring , u can renew them with same key pair, the process is well documented in blogs
Apologizes for mis conception
0
 
Sharaf KEXchange 2013 admin & Network AdminAuthor Commented:
I have got the right answer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.