Renew certificates
APPLIES TO: 
2013 2016 2019 
Subscription Edition SharePoint in Microsoft 365
SharePoint supports renewing SSL certificates via the Renew-SPCertificate PowerShell cmdlet. This creates a new certificate signing request based on the properties of an existing certificate and is the first step in a three-step process to renew an SSL certificate.
Once an SSL certificate request is created via the operation, the SharePoint administrator must submit the certificate request to their SSL certificate authority. The SSL certificate authority will then generate a signed certificate based on the request and return it to the SharePoint administrator. The SharePoint administrator must then import the certificate provided by the SSL certificate authority into SharePoint.
SharePoint will then pair the imported certificate with the private key generated by the certificate request operation. The certificate is then ready to be used by SharePoint.
When you import a certificate as part of a certificate renewal operation, you can specify the Replace switch parameter with the Import-SPCertificate cmdlet. This tells SharePoint to automatically replace the certificate assignments of the certificate being renewed with the new certificate.
Renew-SPCertificate [-Identity] <SPServerCertificatePipeBind> -FriendlyName <String> [-CommonName <String>] [-AlternativeNames <String[]>] [-OrganizationalUnit <>] [-Organization <String>] [-Locality <String>] [-State <String>] [-Country <String>] [-Exportable] [-HashAlgorithm {Default | SHA256 | SHA384 | SHA512}] [-Path <String>] [-Force] [<CommonParameters>]
Renew-SPCertificate [-Identity] <SPServerCertificatePipeBind> -FriendlyName <String> [-CommonName <String>] [-AlternativeNames <String[]>] [-OrganizationalUnit <>] [-Organization <String>] [-Locality <String>] [-State <String>] [-Country <String>] [-Exportable] [-KeySize {0 | 2048 | 4096 | 8192 | 16384}] [-HashAlgorithm {Default | SHA256 | SHA384 | SHA512}] [-Path <String>] [-Force] [<CommonParameters>]
Renew-SPCertificate [-Identity] <SPServerCertificatePipeBind> -FriendlyName <String> [-CommonName <String>] [-AlternativeNames <String[]>] [-OrganizationalUnit <>] [-Organization <String>] [-Locality <String>] [-State <String>] [-Country <String>] [-Exportable] [-EllipticCurve {Default | nistP256 | nistP384 | nistP521}] [-HashAlgorithm {Default | SHA256 | SHA384 | SHA512}] [-Path <String>] [-Force] [<CommonParameters>]
The cmdlet parameters are:
| Parameter | Description |
|---|---|
| Identity | The certificate to be renewed. |
| FriendlyName | The friendly name for the certificate. This name can be used to help you remember the purpose of this certificate. The friendly name will only be visible to SharePoint farm administrators, not to end users. |
| CommonName | The primary DNS domain name or IP address that this certificate will be assigned to. Fully Qualified Domain Names (FQDNs) are recommended. If this parameter isn't specified, the common name of the certificate to be renewed will be used. |
| AlternativeNames | Additional DNS domain names or IP addresses that this certificate will be assigned to. Fully Qualified Domain Names (FQDNs) are recommended. If this parameter isn't specified, the alternative names of the certificate to be renewed will be used. |
| OrganizationalUnit | The name of your department within your organization or company. If this parameter isn't specified, the organizational unit of the certificate to be renewed will be used. If an organizational unit can't be found in the certificate to be renewed, the default organizational unit of the farm will be used. |
| Organization | The legally registered name of your organization or company. If this parameter isn't specified, the organization of the certificate to be renewed will be used. If an organization can't be found in the certificate to be renewed, the default organization of the farm will be used. |
| Locality | The name of the city or locality where your organization is legally located. Don't abbreviate the name. If this parameter isn't specified, the locality of the certificate to be renewed will be used. If a locality can't be found in the certificate to be renewed, the default locality of the farm will be used. |
| State | The name of the state or province where your organization is legally located. Don't abbreviate the name. If this parameter isn't specified, the state of the certificate to be renewed will be used. If a state can't be found in the certificate to be renewed, the default state of the farm will be used. |
| Country | The two letter country code where your organization is legally located. This must be an ISO 3166-1 alpha-2 country code. If this parameter isn't specified, the country of the certificate to be renewed will be used. If a country can't be found in the certificate to be renewed, the default country of the farm will be used. |
| Exportable | Specifies whether the private key of the certificate may be exported. If this parameter is not specified, the private key of certificate deployed to the Windows Certificate Store on each server in the SharePoint farm won't be exportable, and SharePoint won't allow you to export the private key from within the SharePoint administration interface. |
| KeySize | Specifies to use the RSA key algorithm for your certificate, and the size of your public and private RSA keys in bits. Larger key sizes provide more cryptographic strength than smaller key sizes, but they're also more computationally expensive and take more time to complete the SSL/TLS connection. Select 2048 if you're unsure which key size to use. Key sizes larger than 4096 are not recommended. If neither this parameter nor the EllipticCurve parameter is specified, the key algorithm and key size / elliptic curve of the certificate to be renewed will be used. If a key algorithm and key size / elliptic curve can't be found in the certificate to be renewed, the default key algorithm and key size / elliptic curve of the farm will be used. |
| EllipticCurve | Specifies to use the elliptic curve cryptography key algorithm for your certificate, and the elliptic curve of your public and private ECC keys. Larger elliptic curves provide more cryptographic strength than smaller elliptic curves, but they're also more computationally expensive and take more time to complete the SSL/TLS connection. Select nistP256 if you're unsure, which elliptic curve to use. Elliptic curves larger than nistP384 are not recommended. If neither this parameter nor the KeySize parameter is specified, the key algorithm and key size / elliptic curve of the certificate to be renewed will be used. If a key algorithm and key size / elliptic curve can't be found in the certificate to be renewed, the default key algorithm and key size / elliptic curve of the farm will be used. |
| HashAlgorithm | Specifies the hash algorithm of your certificate signature, which your certificate authority will use to verify that your certificate request hasn't been tampered with. Larger hash algorithms provide more cryptographic strength than smaller hash algorithms, but they're also more computationally expensive. Select SHA256 if you're unsure which hash algorithm to use. Hash algorithms larger than SHA384 are not recommended. If this parameter is not specified, the hash algorithm of the certificate to be renewed will be used. If a supported hash algorithm can't be found in the certificate to be renewed, the default hash algorithm of the farm will be used. |
The following is the example of cmdlet syntax:
Renew-SPCertificate -Identity "Contoso SharePoint (2020)" -FriendlyName "Contoso SharePoint (2021)" -Exportable -Path "\\server\fileshare\Contoso SharePoint 2021 Certificate Signing Request.txt"