Is there a step-by-step on installing and enabling an "updated" certifcate for Exchange client services

asked 2021-04-30T19:00:15.653+00:00
Stephen Bruce 21 Reputation points

I just acquired a renewed update of a "paused" certificate for Exchange 2016 for POP,IMAP,SMTP,IIS. Is there a guide for installing and binding assigning the certificate to these services ? I originally installed this server and performed replacements of expired certificate but never updated a paused certificate. After installing the certificate into the "Web Server" store (probably my first mistake) the command to assign it to these services didn't work. I was hoping it would be as simple as that.

This command didn't work. It said it couldn't find the thumbprint which I copied directly from the certificate details.

Enable-ExchangeCertificate -Thumbprint 0b7a2f0232fa0f315ff6c4f7d62018c25aebff33 -Services POP,IMAP,SMTP,IIS

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,064 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2021-05-03T03:41:27.18+00:00
    Yuki Sun-MSFT 24,256 Reputation points

    Hi @Stephen Bruce ,

    Are you able to see this certificate via EAC > Server >certificates or in the output of the command below?

    Get-ExchangeCertificate  
    

    If not, it seems that you might haven't followed the supported approprach to renew the Exchange certificate and thus it's the expected behavior that the services cannot be successfully binded to the certificate.

    Generally, if it's a certificate that was issued by a CA, we would need to create a certificate renewal request, send the request to the CA and then the CA sends us the actual certificate file that we need to install on the Exchange server. The procedure is nearly identical to that of completing a new certificate request by installing the certificate on the server. For more details, hopefully you can find the document below helpful:
    Renew an Exchange Server certificate


    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. answered 2021-05-04T14:11:02.473+00:00
    Stephen Bruce 21 Reputation points

    RE . . you asked for the results of this command - below.
    It shows the an expired certificate and the new certificate both assigned for client services.
    is that the problem ?

    When I ran the command to enable and assign the new certificate, it asked if it should overwrite the existing certificate . . I said Y

    I didn't remove the expired certificate manually because i didn't want to break the services.

    RE . . I restarted the server to see if the status of the new certificate would change, before I submitted this question.

    [PS] C:\Windows\system32>Get-ExchangeCertificate | FL
    Creating a new session for implicit remoting of "Get-ExchangeCertificate" command...
    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : { REDACTED
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : C=US, S=mn, XXXXXXXXXXXXXXXX
    NotAfter : 5/1/2022 11:51:46 AM
    NotBefore : 5/1/2021 11:31:46 AM
    PublicKeySize : 2048
    RootCAType : Unknown
    SerialNumber : 43771D1FAD78D3A749FEAF8C32AF99CF
    Services : None
    Status : PendingRequest
    Subject : C=US, XXXXXXXXXXXXXXXXXXXXXXX
    Thumbprint : 23EE9686373E31E6364872C3A371F0B2F945FCBA

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {owa.contoso.com, www.owa.contoso.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=XXX
    NotAfter : 5/1/2022 6:59:59 PM
    NotBefore : 4/30/2021 7:00:00 PM
    PublicKeySize : 2048
    RootCAType : ThirdParty
    SerialNumber : 00BED1EA8B7153E827C2A00A4B4C5C5A1E
    Services : IMAP, POP, IIS, SMTP
    Status : Valid
    Subject : CN=owa.contoso.com

    Thumbprint : 5B319E743D3D4C6BFBC22D41CBF02F3B8192254F

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {owa.contoso.com, www.owa.contoso.com}
    HasPrivateKey : True
    IsSelfSigned : False
    Issuer : CN=XXX
    NotAfter : 4/29/2021 6:59:59 PM
    NotBefore : 4/21/2020 7:00:00 PM
    PublicKeySize : 2048
    RootCAType : ThirdParty
    SerialNumber : 3D14FBF4D3E899E1CE571572DEA54946
    Services : IMAP, POP, SMTP
    Status : DateInvalid
    Subject : CN=owa.contoso.com
    Thumbprint : 0B7A2F0232FA0F315FF6C4F7D62018C25AEBFF33

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {ex2016, ex2016.mail.dmz}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=ex2016
    NotAfter : 5/5/2023 5:25:15 AM
    NotBefore : 5/5/2018 5:25:15 AM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber : 1B26109BE2FC909C4E8B79CF615400CC
    Services : SMTP
    Status : Valid
    Subject : CN=ex2016
    Thumbprint : D6B99B18963707B482C654A8791B358FC70F76AA

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=Microsoft Exchange Server Auth Certificate
    NotAfter : 4/8/2023 1:02:26 PM
    NotBefore : 5/4/2018 1:02:26 PM
    PublicKeySize : 2048
    RootCAType : None
    SerialNumber : 6AEFCC8017ECAD9A43874F83D9C23982
    Services : SMTP
    Status : Valid
    Subject : CN=Microsoft Exchange Server Auth Certificate
    Thumbprint : 42E32369DA3D146E4E0C666653F98F47606C296C

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {ex2016, ex2016.mail.dmz}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=ex2016
    NotAfter : 5/4/2023 1:00:52 PM
    NotBefore : 5/4/2018 1:00:52 PM
    PublicKeySize : 2048
    RootCAType : Registry
    SerialNumber : 6C9E5390A3A73392432EE62A45A483ED
    Services : IIS, SMTP
    Status : Valid
    Subject : CN=ex2016
    Thumbprint : 42A468A860EFF753DE8AD79D2FC575BAC7A4BED2

    AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule,
    System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {WMSvc-SHA2-EX2016}
    HasPrivateKey : True
    IsSelfSigned : True
    Issuer : CN=WMSvc-SHA2-EX2016
    NotAfter : 5/1/2028 12:44:25 PM
    NotBefore : 5/4/2018 12:44:25 PM
    PublicKeySize : 2048
    RootCAType : Registry
    SerialNumber : 71BA83AE902DBEA846F0E5CF32607AC7
    Services : None
    Status : Valid
    Subject : CN=WMSvc-SHA2-EX2016
    Thumbprint : 874957BA59F383474BD40FB85B8C203D15F18C3A

    [PS] C:\Windows\system32>