Renew Exchange 2010 Self-Signed Certificate

The default self-signed Exchange 2010 certificate is valid for a period of 5 years. It’s pretty easy to forget about the certificate’s expiration date unless you’ve set a reminder of some sort. Depending on what uses this self-signed cert, it may not cause a major issue. However, chances are that the Exchange self-signed certificate is being used somewhere in your organization. For example, if you are using Orion Solarwinds and WinRM to monitor your Exchange servers and the cert expires, then Solarwinds will not be able to monitor the Exchange servers until you renew the certificate in Exchange. Follow the steps below to renew Exchange 2010 self-signed certificates.

You may notice the following error on your Exchange server/s:

EventID=142 Source=WinRM Description= WSMan operation SignalShell failed error code 995

Powershell errors; error code 995 + HTTP_STATUS_DENIED

You may also notice the following error on your Orion Solarwinds management server/s:

Connecting to remote server failed with the following error message : The SSL connection cannot be established. Verify that the service on the remote host is properly configured to listen for HTTPS requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: “winrm quickconfig -transport:https”. For more information, see the about_Remote_Troubleshooting Help topic.”

1. Verify WinRM
The first thing to try is running the winrm command as the above paragraph state to do. Run the following command as an administrator on the Exchange server from a command line:

winrm quickconfig -transport:https

In my case, it ran successfully. Once you’ve verified you do not have an issue with WinRM, then check the status of the Exchange self-signed certificate.

Renew Exchange self-signed certificate
1. Log onto the Exchange 2010 server/s, open EMC (Exchange Management Console). Expand your Exchange Server and select Server Configuration and highlight the server/s in question. You will notice the self-signed certificate has expired.

solarwindsexs1
2. Right-click the cert and select Open. Select the Details tab and then select Thumbprint. Copy or make note of the certificate’s thumbprint. You will need this in order to renew the self-signed certificate.
solarwindsexs5  solarwindsexs9
3. Renew the NAHQEXS23 self-signed cert using its thumbprint to identify the cert using the following powershell command. Of course, you will need to open the Exchange Management Shell as an administrator prior to excuting the command below.

Get-ExchangeCertificate -Thumbprint ‘2borb319fg55cd442bf379876xxc6c8322a58679’ | New-ExchangeCertificate

** – Note: the thumbprint is the thumbprint you made note of in step #2

Remove old Exchange self-signed certificate
4. You will notice a new self-signed certificate in the EMC. You should now remove the old cert by right-clicking on the old cert and selecting Remove.

Bind new self-signed certificate to Exchange
5. The next step is to bind the new cert to Exchange (if necessary). Do this by opening IIS on the Exchanger server/s. Expand Sites and then right-click the Default Web Site (most likely) and select Edit Bindings.

6. Look for type “https” and port “443“, highlight it and select Edit.
solarwindsexs3

7. Now bind the Exchange self-signed certificate to the Exchange service and select OK..
solarwindsexs2

Verify the certificate
8. Now it is time to verify the new self-signed certificate is working. Do this by opening a browser and navigating your the following URL. Replace “server” with your Exchange server name.

https://server/powershell

If it works, then you will see a result similar to the one below:
solarwindsexs10

If it DOES NOT work, then you may see a screen like the one below:

solarwindsexs7

If for some reason it doesn’t work, try doing an IISReset on the Exchange server/s in question and check it again.

Finally, check the applications that that were using this self-signed certificate in the first place such as Orion Solarwinds or any other application to make sure that it is now working.

George Almeida

Welcome to my little corner of the blogosphere. I'm an Information Technology Director. I specialize in Windows operating systems, applications, servers, storage, networks and also have a technical background on the IBM iSeries platform. My only purpose for this blog is the hope that it helps someone, someday, somewhere. Any meager proceeds derived from our sponsors will be donated to charity.

You may also like...

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

19 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Toshky
Toshky
8 years ago

Thanks Mate.

Ditoboisy
Ditoboisy
7 years ago

This was helpful. Thanks for the post.

YoYo
YoYo
7 years ago

Useful and concise.

AmanDo
AmanDo
7 years ago

This Really Helped me update our certificates. Simple and fast procedure. Thanks George

Alan Harwood
Alan Harwood
5 years ago

This is still helping people!
Thanks.

Scott
Scott
5 years ago

My self signed cert CN is exchange2010.domain.local and SMTP service only enabled. I have a Geotrust SSL for all external communications. Checking my IIS bindings it shows my Geotrust bound to port 443. SO i would imagine that your steps 5-8 regarding IIS would not apply to my situation? It would just be a matter of getting self signed thumbprint, then running the command Get-ExchangeCertificate -Thumbprint ‘2borb319fg55cd442bf379876xxc6c8322a58679’ | New-ExchangeCertificate ? I understand this command will take the parameters of current ssl (CN and SMTP service bound) and create a new self signed cert. Once this is done i would remove… Read more »

Ali
Ali
4 years ago

thanks george for the simple, clear and very helpful instructions. worked perfectly. i do this step once every few years, it used to look messy but you help make sense of the process and very helpful. thanks from Australia. cheers 🙂

Aknox
Aknox
4 years ago

Great information. used this to renew my self-cert. I got an error though while trying to bind the certificate so instead used assign to services within EMC

Naveed
Naveed
4 years ago

Hi George, My ssl certificate for wmsvc is self signed in exchange 2010 which is about to expire. this cert does have any services however we use external cert provider for iis and smtp. my question do i still need to renew emsvc cert ?

Ike E.
Ike E.
3 years ago

This information was very helpful with one Exchange 2010 server that I manage. I stumbled into it after a couple of days of trying another option. Everything worked like a champ. Thanks for the post!

Mohammad Ali
Mohammad Ali
2 years ago

This information was very helpful.
Thank you

19
0
Would love your thoughts, please comment.x
()
x