question

itsteam1-4776 avatar image
0 Votes"
itsteam1-4776 asked KyleXu-MSFT commented

How do i renew the ssl certificate on hybrid exchange environment?

Hi Guys,
We are running the exchange on hybrid environment of O365.Our webmail shows the ssl certificate will expire this month.Should i just buy a new ssl cert from domain host then plug it to the exchange servers only?Any steps need to do on the AD connector?Thank you.

office-exchange-hybrid-itpro
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@itsteam1-4776
I am writing here to confirm with you any update about this thread now.
If the suggestion below helps, please feel free to accept it as an answer to help more people.

0 Votes 0 ·

i need more help from people.Due to hybrid exchange environment is complicated.

0 Votes 0 ·
CdricPerion-5162 avatar image
0 Votes"
CdricPerion-5162 answered CdricPerion-5162 commented

Hi @itsteam1-4776,

When you are running with a hybrid environnement and you need to replace a certificate, the important thing are the connector created by HCW.
Check this link, it can help : https://martinsblog.dk/exchange-replacing-certificate-for-microsoft-365-hybrid-connectors/

For AAD Connect, no impacts with the Exchange SSL Certificate.

Thanks
Cedric

· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

do i need to rerun the exchange wizard?

0 Votes 0 ·

Nop normally no need to re run the hybrid wizard.

0 Votes 0 ·

what if i buy a cert from godaddy.Do i need Get the thumprint for the new cert?

0 Votes 0 ·

You need to renew your webmail certificate so it’s a SSL, so yes buy it from for example Go Daddy.

Check this link to renew a ssl certificate here on Exchange 2016.

https://www.geocerts.com/support/renewing-an-exchange-server-2016-ssl-certificate

After that, if you use this certificate (the old webmail certificate ) for the hybrid mode (when you configure it) just change thumbprint in your connector (as I mentioned before) with the new one.

My scenario is in case you use a multi site ssl certificate and you use it for webmail and for hybrid mode.

———-
If response is good for you, don’t hesitate to accept answer, it help :) and it’s appreciated!!!

0 Votes 0 ·

It is because we are running 3 exchange server in DAG mode.So i need to change all the cert to all servers right?
I have also found this url to renew godaddy ssl cert.

[1]: https://xpertstec.com/how-to-install-configure-renew-godaddy-ssl-certificate-in-exchange/

Any impact if i do this?Thank you.

0 Votes 0 ·
Show more comments

Plus We have two MRS server for the hybrid environment.Any issue if i only renew the SSL of the exchange servers?

0 Votes 0 ·

Are you using a different ssl cert for the MRS servers ?

0 Votes 0 ·

We use wildcard cert to two MRS server *.abc.com it will be expired on 12/2022
But the exchange servers use specified name cert mail.abc.com it will be expired on 6/2022
Will there are any impacts if i only change the mail.abc.com cert only?

0 Votes 0 ·
Show more comments
KyleXu-MSFT avatar image
0 Votes"
KyleXu-MSFT answered KyleXu-MSFT commented

@itsteam1-4776

Do you mean the certificate that is used for IIS will expire soon?

About this certificate:

  1. you could click "Renew" to generate a renew request

  2. Then use this request to apply for a new certificate from a certification authority

  3. Import this new certificate to Exchange server to complete this new certificate request.

  4. Assign IIS service to this certificate, and run IISReset in CMD

  5. Rerun HCW.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yes.Our exchange webmail certificate shows it will expire soon.But anything i need to do with the aadc?

0 Votes 0 ·

No, you don't need to make any changes to AAD Connect.

0 Votes 0 ·

can i just buy a wild card ssl cert from godaddy instead of create a self signed cert of the exchange?

0 Votes 0 ·
Show more comments

so your approach is simply import a wildcard cert from godaddy then enable the smtp pop service on it ,right?

0 Votes 0 ·

201246-image.png


In this pic.I can't uncheck SMTP,IMAP,POP and IIS.Any advise?Thank you.

0 Votes 0 ·
image.png (11.2 KiB)

You cannot uncheck service from one certificate. After you assign service to another certificate, it will be replaced.

0 Votes 0 ·

In Rerun HCW.Any options i need to check?

0 Votes 0 ·

Choose this new certificate as hybrid certificate when run HCW.

0 Votes 0 ·
imamitsingh avatar image
0 Votes"
imamitsingh answered itsteam1-4776 edited

Also, you can check this article for help - https://www.linkedin.com/pulse/detailed-certificate-requirements-hybrid-deployments-/


Note: Since Microsoft does not host the website, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

that url is unreachable .

0 Votes 0 ·