Exchange Server 2007: Renewing the self-signed certificate

Exchange Server 2007 issues itself a self-signed certificate for use with services like SMTP, IMAP, POP, IIS and UM. The certificate is issued for a period of one year.

The self-signed certificate meets an important need – securing communication for Exchange services by default. Nevertheless, one should treat these self-signed certificates as temporary. It’s not recommended to use these for any client communication on an ongoing basis. For most deployments, you will end up procuring a certificate from a trusted 3rd-party CA (or perhaps an internal CA in organizations with PKI deployed).

However, should you decide to leave the self-signed certificate(s) on some servers and continue to use them, these need to be renewed – just as you would renew certificates from 3rd-party or in-house CAs.

Step 1:
To renew the certificate for server, a server with CAS and HT roles installed:

Get-ExchangeCertificate -domain "" | fl

Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers).
Copy the thumbprint of the certificate.

Get-ExchangeCertificate -thumbprint "0B188A07E3ED59FE402C88ABAE462C663E00A1B9" | New-ExchangeCertificate

If the existing certificate is being used for SMTP, you will get the following prompt:

Overwrite Default SMTP Certificate Exchange 2007

Type y to continue. A new certificate is generated.

New Certificate Exchange 2007 generated

The new certificate is generated and enabled. Examine the new certificate:

Get-ExchangeCertificate -thumbprint "0B188A07E3ED59FE402C88ABAE462C663E22A1D8" | New-ExchangeCertificate

Step 2:
The old certificate is enabled for IIS, POP, IMAP and SMTP. The new certificate generated using the above command is enabled only for POP, IMAP and SMTP – IIS is missing.

To enable the certificate for IIS:

Enable-ExchangeCertificate -thumbprint "0B188A07E3ED59FE402C88ABAE462C663E22A1D8" -services IIS

This enables the certificate for IIS (in addition to any other services it may already be enabled for – it adds to existing values of the services property).

Step 3:
Test services are working with the new certificate. If it works as expected,
the old certificate can be removed:

Remove-ExchangeCertificate -thumbprint "0B188A07E3ED59FE402C88ABAE462C663E00A1B9"

Reference: Exchangepedia