Replace Exchange Certificate Name

Exchange 2016

When deploying an Exchange server, be it any version between 2007 and 2016, you have been deploying a certificate to replace the self signed one that is automatically created during installation with one from a commercial or internal certification authority.

In most of the deployment I have been working with it is common practice to request a subject alternative name certificate containing both internal and external exchange names unfortunately effective October 31st this will not be possible anymore due a change in the CAB forum so you will need to replace any Exchange certificate containing the internal name of the server.

Requisites to Replace Exchange Certificate Name

The first step to replace the Exchange Certificate Name is making sure proper resolution is in place so that clients will be able to resolve the CAS Server name and URL address of the various services.

Let’s assume your internal domain name is helocheck.lab and the external domain name is chances are that your internal Web services URL will be similar to https://<Internal Server Name>.helocheck.lab/autodiscover/autodiscover.xml to be compliant this needs to be changed to something like with the clients being able to resolve this to the internal IP Address of the CAS Server (in case of Exchange 2007-2013).

In addition to having proper name resolution in place you will also need to request a new Exchange certificate containing all appropriate domain names in it but I will assume this step has already been taken care of.

Replace Exchange Certificate Name Configuration

Once proper name resolution is in place and the new certificate has been installed on the server you will need to change Exchange configuration so to remove any reference to internal name this is easily achieved through PowerShell

# Replace Exchange Certificate Name for Autodiscover internal URL
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri 

# Replace Exchange Certificate Name for EWS internal URL
Set-WebServicesVirtualDirectory -Identity "HostNameEWS (Default Web Site)" -InternalUrl

# Replace Exchange Certificate Name for OAB internal URL
 Set-OABVirtualDirectory -Identity "HostNameoab (Default Web Site)" -InternalUrl

Depending on the configuration you are working with you will also need to run the following commands

# Replace Exchange Certificate Name for ActiveSync internal URL
Set-ActiveSyncVirtualDirectory -Identity "HostNameMicrosoft-Server-ActiveSync (Default Web Site)" -InternalUrl 

# Replace Exchange Certificate Name for OWA internal URL
Set-OWAVirtualDirectory -Identity "HostNameowa (Default Web Site)" -InternalUrl

# Replace Exchange Certificate Name for ECP internal URL
Set-ECPVirtualDirectory -Identity "HostNameecp (Default Web Site)" -InternalUrl 

# Replace Exchange Certificate Name for RPC internal URL
 Set-OutlookAnywhere -Identity "HostNameRpc (Default Web Site)" -InternalHostname -InternalClientsRequireSsl $true

Once the above commands have been run to make the configuration immediately effective simply recycle to MSExchangeAutodiscoverAppPool open [IIS Manager] → [Application Pools] right-click on MSExchangeAutodiscoverAppPool and finallz select Recycle.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s