How to Replace Exchange Self Signed Certificate

Exchange Logo

When Exchange 2013 is installed (but this is true for Exchange 2007 and 2010 as well)  a self signed certificate is created to protect services that run on the Client Access Server like

  • Outlook Anywhere
  • Outlook Web Access
  • ActiveSync
  • Exchange Web Services

While this simplifies setup tasks the Exchange Self Signed Certificate will generate errors when a client tries to connect to one of the services as it is not released by a trusted Certification Authority. [su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: The above applies to the Client Access Role as Mailbox Server does not directly accepts client connections hence can use a self signed certificate [/su_note]

The self signed certificate configuration can easily be checked with the following command which will display more details about services and certificates

Get-ExchangeCertificate |select Subject,IsSelfSigned,Services | Format-Table -AutoSize

Subject                                       IsSelfSigned             Services
-------                                       ------------             --------
CN=Microsoft Exchange Server Auth Certificate         True                 SMTP
CN=SZHV-EXM01                                         True IMAP, POP, IIS, SMTP
CN=WMSvc-SZHV-EXM01                                   True                 None

Exchange Self Signed Certificate – Generate CSR

The first step to replace the Exchange Self Signed certificate is generating a Certificate Signing Request (CSR) that will then be submitted a Certificate Authority for the certificate release.

Open Exchange Administration Center → Servers → Certificates and click the sign to start the CSR generation process selecting Create a Request for a certificate from a certification authority and assign the Certificate request a friendly name

Exchange Self Signed Certificate - CSR

Exchange Self Signed Certificate - CSR Name

In the New Exchange Certificate window you have the option to request a Wildcard Certificate for the sake of the lab environment we will request a standard certificate

Exchange Self Signed Certificate - Wildcard Certificate

You will be asked where to store the CSR file which is usually on the same server where it being requested

Exchange Self Signed Certificate - Request Path

The wizard will ask you specify service names that will be used to access services both from the internet and the intranet if the same name will be used more than once it is not necessary to specify it multiple times

Exchange Self Signed Certificate - Service Names ConfigurationBased on the selection performed in the previous step a list of names will appear in the following page which you should review and remove any unwanted name that is included

Exchange Self Signed Certificate - Subject Names

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: When creating a CSR for a commercial certificate you should remove any entry containing NetBIOS, domain local names and/or IP addresses as the Commercial Certificate Authority will otherwise not issue the certificate[/su_note]

In the next windows you will be asked to supply information like Organization Name and Department requesting the certificate fill in all fields as appropriate and click on Next 

Exchange Self Signed Certificate - CSR Organization

In the final window you will be asked to specify a path where to store the CSR file that will then sent to the Certificate Authority for certificate issue, I have created a share on the Exchange server for the purpose

Exchange Self Signed Certificate - Store CSR File

Back to the Servers → Certificates page you will see the Pending Request for the certificate we’ve just requested

Exchange Self Signed Certificate - Pending Request

Exchange Self Signed Certificate – Install New Certificate

Once the certificate has been issued you can complete the pending request clicking on the Complete link in the Server → Certificates page

Exchange Self Signed Certificate - Complete Certificate Request

Specify the UNC path where the certificate has been stored, I’ve used the same folder where I’ve stored the CSR file, and then click OK

Exchange Self Signed Certificate - Certificae PathThe Certificate will be imported in Exchange and displayed among the available Exchange Certificates

Exchange Self Signed Certificate - Install Review

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: If Exchange displays the certificate as invalid you will need to import the issue root CA Chain into the local certificate store [/su_note]

Once the certificate has been installed on the Exchange server click the pencil icon to edit the configuration and assign the certificate to any desired service

Exchange Self Signed Certificate - Assign Certificate


5 thoughts on “How to Replace Exchange Self Signed Certificate

  1. Hi,
    May I know could I delete self-signed certificate if I already issued third party certificate to Exchange Client Access Server ? I assigned IMAP, POP, SMTP, IIS services to the third party certificate, but self-signed also have SMTP (I guess it’s by default).


    1. Hey Ian sorry for the late answer but these are extremely busy days and did not check my mail in a while.

      Yes as you guessed self-signed certificate is assigned by default to the SMTP service but you can safely ignore it.

      If you already have assigned the third party certificate to your services (IIS, SMTP etc.) simply get rid of the self signed one without any issue.

      As a best practice I remove the self signed certificate as soon as a proper production one is in place to keep everything clear and in order.


  2. Did that and the exchange administrative center stops loading .. always redirect me back to the log in page … have to generate a new self-signed cert and bind it to port 444 in order to get it to work again .. sad


    1. Hello Vince,

      apologies for the late answer but had some technical issues keeping me away from the blog. I never run into such a situation and honestly don’t think issue you are facing is bound to the certificate itself as that does not impact the underlying application in any way.

      Have you tried having a look at IIS logs and see if you can find anything in there? Also recycling app pools and restarting IIS can be beneficial.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s