Re-Issuing a Self Signed Certificate for Exchange (SBS)

Most 2011 or 2008 SBS servers use self signed certificates, if a customer hasn’t paid that little extra for a fully signed cert, as they can use it for free internally without any issues (or many).

The first signs that the internal Exchange certificate issues are on Outlook popping up asking users to accept a certificate to get their email. This may get repetitive over time. If you look at the certificate you will probably see that it has expired. See below;


To fix this issue, go to your exchange server and open your Exchange PowerShell cmdlet as an administrator.


Now type “Get-ExchangeCertificate


You will be presented with a list of cert’s you now need to identify which one you need to renew.


Open the current affected certificate and go to details scroll down to “Thumbprint” now compare between the two which one you need to renew.


Now type “Get-ExchangeCertificate –Thumbprint” followed by highlighting and copying and pasting the thumbprint of the cert your replacing. Cont.


After that press space and type “| New-ExchangeCertificate” so in total you have “Get-ExchangeCertificate –Thumbprint MYTHUMBPRINTID | New-ExchangeCertificate


After this it will then ask you to confirm;


And you will then have a new Cert but it wont be assigned to anything….


Now enter “ Enable-ExchangeCertificate –Services “SMTP, POP, IMAP, IIS” “ and press enter


You will now be asked to confirm your thumb print, here you copy the thumbprint of the new cert you just created and paste it in


You will now get confirmation other certs may be in use for the services you have selected (depending on your setup) Now Check the certificate via OWA and you should see a new timestamp.


Finally you should now check this cert is being accepted internally via localhost OWA external domain name OWA and external from the domain that the cert is being used. Once you can confirm this roll it out via group policy.

Please note this guide is for SBS 2008 with Exchange 2007 it may be applicable elsewhere. I do not recommend self signed certs as “proper” Certs can be purchased cheaply and will be without a lot of hassle and more secure.

This entry was posted in Exchange, SBS and tagged , , . Bookmark the permalink.

9 Responses to Re-Issuing a Self Signed Certificate for Exchange (SBS)

  1. Jon Hege says:

    Thanks, this seems to have worked.

  2. Reedy says:

    Good article.

    But why not use the in built SBS tools to renew the certificate.

    Fix my network or connect to internet wizard will renew the self signed cert.

  3. MatthewP says:

    Thanks, did just the trick, a few minutes and all is well. 🙂

  4. jebus says:

    Ah cheers, in all honesty I didn’t know, however I will look at this for the next one I do

  5. Marcelo says:

    Thanks Pete for this. Great and simple article which saved my lot of time.

  6. Justin says:

    Yep, works like a charm but as Pete says well worth getting a trusted certificate.

  7. [email protected] says:

    simple method, good one. saved me

  8. Vimto says:

    “But why not use the in built SBS tools to renew the certificate.” – Because, sometimes it just doesn’t work, like so many things in SBS. Ours generated the certs and then failed on allocating them to services by the looks of it. I had to kill the bad ones it had just generated and then go through the procedure above which worked fine.

    I did have to add ‘-DoNotRequireSSL’ to the end of the last procedure or it would have locked down IIS to run in SSL only which we did not want.

  9. Nigel says:

    Pete, legend, worked a treat

Leave a Reply