Renewing your Exchange 2010 SSL Cert

It’s that time again. Has it been 3 years already? According to my Exchange SSL Cert, indeed it has! Renewing your SSL cert in Exchange 2010 is not very difficult but there is some strangeness to it. I’ve seen a lot of others say it’s just easier to install it as a new cert. Exchange 2010 does have a way to renew the cert and it’s nice because it does not require any downtime to get it done, there is just some oddness to the way it’s done. In this post we are going to walk though the process of doing a renewal.

You can do this process from powershell or from the Management console. In this example we’ll be using the EMC because it takes better screenshots.

Once you have your EMC loaded select “Server Configuration” from the left side. In the top pane select the one of your servers that has the SSL Cert installed on it. Find the cert in the bottom pane and right click “Renew Certificate” and select a place to store the .req file.

Screenshot 2013-11-19 16.26.02

Screenshot 2013-11-19 16.26.18

Doing the above step creates a .req file. This is your CSR you need to use when you renew your cert with the company that issued your SSL Cert. The problem is this .req file is binary, which is odd. It’s Base64 however so it can be “decoded”. So let’s do that. I used this website to decode the .req file to get my CSR into a text format I can actually use.

Open up the link above. Click “Browse” and select your .req file that was generated from the first step. Click “Convert the source data” This will allow you to copy and paste the actual decoded CSR so you can renew the cert with the SSL issuer.

Screenshot 2013-11-19 16.49.25

Now go to whomever you used to get your SSL Cert and do the renewal process. In my case we use godaddy because they are cheap and pretty fast. When you go through the renewal process at some point you’ll be asked to provide CSR, which you now have. Once you have the SSL cert renewed on the issuer site you can download it.

Go back to your EMC, on the left side again select “Server Configuration”. In the top pane select the same server you did in the first step of this guide. Find the cert in the bottom pane and right click it. Select “Complete Pending Request”. As you go though this wizard it will ask for your cert file and ask to assign services to the cert. Assign the ones you use. Select the ones you use for your organization. In my case I use IMAP, POP, IIS, SMTP.

Screenshot 2013-11-19 17.08.06

If you have more than one CAS server you will need to put the new renewed SSL Cert on each of those servers as well. In the EMC select “Server Configuration” on the left side then select the server you have just put on the new renewed SSL Cert. On the bottom pane right click the new cert (make sure you click the new cert and not the old one – we’ll be deleting that old one in a few minutes) and click “Export Exchange Certificate”. Export it to a .pfx with a password to a safe location.

Screenshot 2013-11-19 17.13.42

Now in the EMC select the next CAS server. In the bottom panel right click in the white space and select “Import Exchange Certificate”. Import the certificate you just exported. Right click on the new cert and click “Assign Services to Certificate”. Assign the same services as you did on the previous CAS server.

You can now go delete the old cert’s from the EMC. Right click on the Cert and select “remove”

I hope that helps clear up some confusion I was reading about. It seems some people were confused because the .req file exchange writes is a binary file and not a normal CSR text file like one would expect.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s